WO2011033137A1 - Method and device for advanced identification of users via a fingerprint and pin - Google Patents

Method and device for advanced identification of users via a fingerprint and pin Download PDF

Info

Publication number
WO2011033137A1
WO2011033137A1 PCT/ES2009/000453 ES2009000453W WO2011033137A1 WO 2011033137 A1 WO2011033137 A1 WO 2011033137A1 ES 2009000453 W ES2009000453 W ES 2009000453W WO 2011033137 A1 WO2011033137 A1 WO 2011033137A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
information
external application
fingerprint
server
Prior art date
Application number
PCT/ES2009/000453
Other languages
Spanish (es)
French (fr)
Inventor
Iván MORENO HERVÁS
Jorge Urios Rodriguez
Original Assignee
Vanios Consulting S.L.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Vanios Consulting S.L. filed Critical Vanios Consulting S.L.
Priority to PCT/ES2009/000453 priority Critical patent/WO2011033137A1/en
Publication of WO2011033137A1 publication Critical patent/WO2011033137A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly

Definitions

  • This system which we will call the "BIA” system (by Advanced Blometric) in this application, is focused on the authentication of users in telematic environments using the fingerprint. To guarantee these operations and to be able to build an infrastructure based on this platform, a series of mechanisms that enhance the security, scalability and mass distribution of this solution have been provided.
  • the BIA system provides a secure environment for transactions and communications with other entities. This is mainly achieved by verifying the user's identity through their biometric information, preferably the fingerprint, and associating it with an " additional personal code (pin). This ensures that the service requested by the user and provided by one of a certain entity ' external to the system, it is robust and reliable, by means of one of the modules of the BIA system, the pin is provided to the user taking into account that other users with similar fingerprints have to have a different pin. will use to encrypt user communications.
  • the use of a specific device called “FingerPad” is planned to integrate the functions required for users to operate with the BIA system.
  • this device is responsible for reading the biometric information and optionally the pin to encrypt it and transmit it to where it will be verified. Similarly, it also receives and displays the result of the verification carried out.
  • the BIA system offers additional functionality by integrating an authentication platform and access to data hosted in databases that are associated with said user. Therefore, in addition to returning the user identification data, any record to which the BIA system has access can be returned. This is possible because the different modules that are incorporated into the solution already have these specifications. These modules are communication platforms in themselves, they only need a place to send the configuration and data that are required, and a secure channel between the sender can already be obtained (a fingerprint reader on a pe or a specific device such as FingerPad ), and the receiver.
  • the BIA system is not limited only to an identification system, it is also aimed at being a standard, scalable and scalable platform for interprocess communication, which guarantees and verifies that the user is who they say they are univocally. If the user check is affirmative, it also performs other operations through gateways. These gateways are responsible for communicating with other external modules. So far they have tried to establish platforms through alternative devices such as bank cards, identity documents or multiple solutions such as single-use passwords to mobile phones, radio frequency systems, proximity cards, etc. but all had distribution problems , maintenance, associated costs, reliability and standardization of the supports.
  • the BIA system Being based on the fingerprint and supported by a user identification code (pin) manages to increase security and protection. Additionally, by means of a device specifically designed so that the user can operate in the system, the necessary functionalities are implemented in a single device. This provides an alternative for those cases in which it is not possible or not convenient to use a computer with the peripherals and interfaces required by the BIA system. For all these characteristics, the BIA system provides the necessary requirements for standardization, reliability, universality, scalability, costs, etc ... that requires a platform of this magnitude and its approach to a subsequent worldwide deployment.
  • the present invention aims at a method for operating between environments in a secure manner by generating an identification code (PIN) associated with the user's biometric data.
  • the object of the present invention is also a system, BIA system, which implements said method.
  • the present invention proposes a device specifically designed to act as a biometric reader (eg for fingerprint) within the BIA system, which also integrates processing means for execution as an application in the client environment of those associated method steps together with a communication interface to enter the information required for user registration and for operations with the host.
  • This device in some embodiments is portable to enable its use in various circumstances regardless of the available infrastructure.
  • the BIA system is preferably based on a standard fingerprint biometric authentication algorithm such as BIOAPI, BAPI, CBEFF, ANSI x9.84, this guarantees, being a standard algorithm, that the solution is compatible with the largest number of readers that they currently exist in the market, and in case the system requires a change in algorithm, this will not be reflected in its operation.
  • a standard fingerprint biometric authentication algorithm such as BIOAPI, BAPI, CBEFF, ANSI x9.84
  • BIOAPI basic fingerprint biometric authentication algorithm
  • BAPI BAPI
  • CBEFF CBEFF
  • ANSI x9.84 a standard fingerprint biometric authentication algorithm
  • the search engine receives encrypted data from the identification or registration application, (depending on the process performed ) and search according to the algorithm collected from the positioning of the fingerprint in the reader.
  • the PIN + fingerprint binomial is retrieved, filtered according to the first one and verified with the second one in the reader, in order to send the associated data to the different modules or gateways.
  • the eventual case that there is more than one fingerprint per pin and that there are users with similar fingerprints is contemplated.
  • This approach avoids limiting the number of users by the number of digits of the pin without decreasing security. Otherwise, a 4-digit pin format would only allow 10,000 users. For this reason, the user's fingerprint is compared between all those fingerprints that correspond to the same pin entered by the user, and it is possible to have more than one fingerprint per pin.
  • the process of registering a user involves a prior analysis of possible conflicts in the verification of the fingerprint and prevents problems, since a "1 against n" is made on all the registered fingerprints. This indicates the fingerprints that have the highest percentage of error, which eliminates those pins associated with those fingerprints as a possible pin for that new record. Therefore, offering the user one of the remaining ones, it is guaranteed that there will be no conflict with problematic fingerprints.
  • the system is provided with a secure data transfer environment through encrypted and encrypted communications between the use and registration applications and the host, this host will implement a different encryption when communicating with the client environment or different gateways or modules, in case the system is separated in two different environments.
  • the database on which the solution is based is independent of the system since, by means of an initial configurator, only credentials that mount the records and tables defined as essential for the solution are necessary. That is, you can use any database that is previously operated, since it only requires some additional fields from which the information and the system will be extracted (server) will always keep those records in memory, without increasing the work for that database, nor requiring an exclusive one.
  • the user is presented in a registration environment presenting the required documentation.
  • the registration application is then accessed where the user's personal data is linked to an identifier.
  • This identifier is an internal data that replaces the user data with those of the platform that operates behind.
  • One of these personal data is the biometric data of your fingerprint, this data is never composed of the image of the fingerprint.
  • it is only an algorithmic code that represents the minute points of the corresponding user's fingerprint and that is achieved with the positioning of the fingerprint several times on the reader, generally with 4 times it will be sufficient in most cases.
  • This log reader can be the one integrated in the advanced biometric reader proposed in the present invention or in any other compatible device.
  • the additional data (which may also be required at another time), they are all those that can be used in different operations or processes, such as a telephone number for making calls or sending messages, an email electronic mail for sending, different account numbers to be able to select the most convenient to make payments, shipping addresses so as not to have to indicate it again in subsequent processes, as well as any additional data that may be required later for the realization of process. It is important to note that this data can be extended or. modified at any time regardless of the normal operation of the solution.
  • the system automatically retrieves that fingerprint from the reader and does a search of it against all records in the database (what is known as a search "1 against n ").
  • the search result recovers all "conflicting" traces, that is, all traces that may, at a given time, be confused with that of the user in a normal process.
  • the system recovers the pins of the related fingerprints (which have been conflicting) to avoid possible confusion with the one entered by the user, when giving the PIN associated with the new user registration, generating randomly, a specific one for that registration process that will be different from those of related footprints.
  • the registration process ends with the delivery of that pin to the user, in whatever way it is arranged, either by sending it to a mobile number, to the address, or simply showing it to us on a screen or printed on paper.
  • the personal PIN code is also used to encrypt the user's fingerprint identification code. That is, the.
  • the system already collects this personal algorithmic code, given, preferably by a standard algorithm.
  • these two data is generated only one that is sent to the server that breaks down into two parts t and locate the pin in the system. Once located, check the associated footprint.
  • the BIA system is a strong authentication solution, that is, it guarantees the identity of the user who performs the operation. This operation is performed by the module that is incorporated on the platform, such as a payment, an accumulation of points, a digital signature, a signing, an access, or any other system that requires strong authentication.
  • the user wants to identify themselves to the system to perform their specific service, whether it is the payment of products or services, a signature operation, accumulation of points, access to an environment, or any other possibility provided by the system .
  • the user accesses the place provided for this purpose, that is, a computer with the client software, a fingerprint reader and a numeric keypad, at that time the operator types the amount on the numeric keypad, and accepts the operation.
  • This data is sent securely to the server, and in case both data are affirmatively verified, the process for which that application is enabled is carried out, that is, a payment, an increase in points, an opening of an access, a signature, etc,
  • This process that is performed after user authentication may require any additional information to the personal identifier.
  • the system can send any data that it has in its database, such as the account number to be loaded, the shipping address, the telephone number, etc.
  • the modules attached to the system in any case they can receive any additional information from the user, provided that it has been previously loaded into the system.
  • the system can notify the user as configured, by means of indicators on the screen of the computer or the FingerPad (1), by sending an email or an SMS, or any other required notification system. Provided that notification data has been previously loaded into the system.
  • the present invention proposes a novel hardware component called FingerPad and that implements the functionalities required in a device. This solution makes the system truly advantageous and differentiating from others, giving it autonomy.
  • This FingerPad device (1) is an element formed externally by a screen (2). to show different states or processes, a numeric keypad to interact with the system (3), a fingerprint reader (4) to perform the registration and user identification processes (if no other is available), and communications components (5).
  • These communications components may vary to adapt and interact with existing technology. For example, different versions are planned that include WIFI, GPRS, Ethernet, Bluetooth, direct USB cable, infrared, among others.
  • the BIA can be adapted with small modifications to any other communication system:
  • the energy preferably the device is prepared to be mobile, so it must have a rechargeable battery that depending on the models can vary in the recharge method and its duration. However, in other possible embodiments of the device, it may be powered by the power grid or by solar cells.
  • Fig. 1 shows an identifying image of the architecture of the host environment.
  • Fig. 2 shows an illustrative scheme of the communication functions of the system.
  • Fig. 3 represents a possible embodiment of the FingerPad device (1) and its components.
  • Fig. 4a and 4b shows a block diagram for the process of registering a user.
  • Fig. 6 flow chart of a user's record.
  • Fig. 7 flow chart of the operation of a user with the BIA system.
  • the BIA user identification system using fingerprint and pin consists of:
  • Communications there are two types 1 of communications, that of the client environment with the server, and those of the server with the gateway, module or system that exploits the data collected.
  • All communications are encrypted using digital certificates and a part of that data corresponds to the application dentist, since this is authenticated to the server to guarantee its integrity, these applications can be web or desktop whenever there is communication with the system.
  • the server communicating with the gateway ⁇ the encryption, security levels and authentication protocols will be given by the module that you want to implement, it is not the same to ensure a payment gateway that a trust system.
  • the user interface is the way users interact with the system. As we have said before, the system requires software that contains processes and communications, these components must be installed in a pe. The direct components of user interaction are the numeric keypad and the fingerprint reader. In the case of small and isolated environments, the use of the pin may not be mandatory since the system itself is sufficiently secure.
  • the FingerPad (1) As added to this user interface and great innovative element of this solution, you can highlight the FingerPad (1).
  • This device composed of the components described in image 3, allows the use of the system regardless of whether or not there is an associated PC.
  • the FingerPad (1) has all the necessary software installed, different communication packages depending on the needs and the modules that are integrated, and gives mobility due to its autonomous system of rechargeable energy.
  • the device allows interaction with the data of the operations through the keypad that has integrated, and with the identification of users of the compatible reader that it incorporates.
  • Modules, platforms or associated processes as we have said in advance, the system provides a complete identification base for different environments.
  • a fundamental component of the solution is these exploitation packages, as we have already seen, different modules will be incorporated over time, each of them will take about certain characteristics, with different registered fields, different verification processes, different communications, but what is treated is that any method of registration, communications, payment, access, etc., can have a module previously configured in the BIA system to be able to use it as identification channel
  • the database that contains the user records may contain the data of the operations performed, with this, the system implements a system for sending a ticket to the mobile, mail or any communication system , in order to verify the operations carried out, moreover, that data will be accessible on a web page, so that any user, after identifying himself, can keep track of the operations carried out through this system, and thus keep all his tickets or invoices in a manner Safe and organized.
  • this data may require some other verification element.
  • the registration will consist of filling in the indicated data and registering the fingerprints, as previously indicated.
  • the number of traces registered and the validity of several traces for one person or several traces of different persons for a single identifier will depend on the specifications of the platform in question or the end customer.
  • the system After performing the relevant checks, the system will generate an identical code of that user that will be shown or sent to you, depending on the system settings and the data available.
  • this pin can be generated or not, just as it may be required, or not, this will depend on the number of users that have the system and the degree of security that you want to provide, based on the basis that The maximum level of security is provided, with something you have, your finger, something you know, your pin, and something you are.
  • the system is configured to allow the same user to register more than one fingerprint and that biometric information is associated with different data (eg account numbers).
  • biometric information is associated with different data (eg account numbers).
  • the system recovers the data of the amount, either by means of some connection to the traditional system of collection, or by the insertion of that data by the keyboard of the FingerPad, or of the provided by the system.
  • the system will ask for user identification by inserting the pin, if necessary, and positioning the fingerprint.
  • the system will uniquely recognize the user who has performed the operation, and return the data that it requires, on the one hand to the customer, and on the other hand to the payment gateway in this case or to the module that is being used in that moment.
  • These processes are common to all modules attached to the system, since the module identifies the user and the operation, he will perform the required operations and return, if required, the information to the user.
  • the data required by the payment system is the account number, and the user entered two data in the same register, the system will show both, securely by encrypting the numbers or the use of aliases, so that the user chooses the one he wants to operate at that time.
  • the result of the operation will be sent to a repository accessible to the user, a mobile, an email address, or any system associated with the solution and that has that user data.
  • This data can be merely informative or it may involve some kind of interaction by the user, such as validating the operation or simply recovering the operation data and having a web repository to control their operations.
  • the system has access to the operation performed, be it a purchase, an access as well as any process, it can be retrieved in a web environment, so that, prior user authentication, This one can see all the operations carried out, being able to dispense with the delivery of paper, because the ticket or ticket can be sent to the mobile, and can even be viewed from the internet and thus be able to have a system for recording the operations.

Abstract

The invention relates to a method and system for identifying a user and operating with an external application, such as an access control or payment system, by encoded reading of the biometric information of said user, preferably the fingerprint. The identity of the user is validated in the server where said user has previously registered and the data required to perform the operation is accessed. Said action is performed over a gateway which interacts with the two server-application entities. Said gateway notifies the server of the outcome of the operation, and the latter can notify the user in turn. The invention involves the user interacting with the present system via a specifically designed device (FingerPad), which includes the means required for reading the biometric information of the user and for communicating with the server, as well as for notifying the outcome of the operation.

Description

MÉTODO Y DISPOSITIVO DE IDENTIFICACION AVANZADO DE USUARIOS MEDIANTE HUELLA DIGITAL Y PIN  ADVANCED USER IDENTIFICATION METHOD AND DEVICE BY DIGITAL FOOTPRINT AND PIN
Este sistema, que denominaremos sistema "BIA" (por Blométrico Avanzado) en la presente solicitud, está enfocado a la autenticación de usuarios en entornos telemáticos usando la huella digital. Para garantizar esas operaciones y poder construir una infraestructura basada en esta plataforma, se han aportado una serie de mecanismos que potencian la seguridad, la escalabilidad y la distribución masiva de esta solución. This system, which we will call the "BIA" system (by Advanced Blometric) in this application, is focused on the authentication of users in telematic environments using the fingerprint. To guarantee these operations and to be able to build an infrastructure based on this platform, a series of mechanisms that enhance the security, scalability and mass distribution of this solution have been provided.
El sistema BIA proporciona un entorno seguro para transacciones y comunicaciones con otras entidades. Esto se consigue principalmente mediante la verificación de la identidad del usuario mediante su información biométrica, preferentemente la huella digital, y la asociación de la misma con un" código personal adicional (pin). Así se garantiza que el servicio solicitado por el usuario y prestado por una de una determinada entidad' externa al sistema sea robusto y fiable. Mediante uno de los módulos del sistema BIA se proporciona el pin al usuario teniendo para ello en cuenta que otros usuarios con huellas similares han de tener diferente pin. El pin también se empleará para cifrar las comunicaciones del usuario. The BIA system provides a secure environment for transactions and communications with other entities. This is mainly achieved by verifying the user's identity through their biometric information, preferably the fingerprint, and associating it with an " additional personal code (pin). This ensures that the service requested by the user and provided by one of a certain entity ' external to the system, it is robust and reliable, by means of one of the modules of the BIA system, the pin is provided to the user taking into account that other users with similar fingerprints have to have a different pin. will use to encrypt user communications.
Como parte del sistema, se ha previsto el empleo de un dispositivo específico denominado "FingerPad" para integrar las funciones requeridas para que los usuarios operen con el sistema BIA. Entre otras funciones, este dispositivo se encarga de leer la información biométrica y opcionalmente el pin para cifrarlo y transmitirlo hasta dónde se verificará. De manera análoga, también recibe y muestra el resultado de la verificación efectuada. As part of the system, the use of a specific device called "FingerPad" is planned to integrate the functions required for users to operate with the BIA system. Among other functions, this device is responsible for reading the biometric information and optionally the pin to encrypt it and transmit it to where it will be verified. Similarly, it also receives and displays the result of the verification carried out.
Con todo esto se pretende crear una plataforma de autenticación a la que se pueden adherir diferentes entidades para acoplarse a diversos entornos de explotación como pueden ser entre otros: With all this, it is intended to create an authentication platform to which different entities can adhere to engage in different operating environments such as:
- Sistema de pago asociado a la huella digital.  - Payment system associated with the fingerprint.
- Sistema de fidelización. - Loyalty system.
- Controles de acceso.  - Access controls.
- Controles de presencia.  - Presence controls.
- Sistema de firma electrónica distribuida.  - Distributed electronic signature system.
ANTECENDENTES DE LA INVENCIÓN BACKGROUND OF THE INVENTION
Este sistema se puede encuadrar en la tipología de soluciones de autenticación biométrica basado en la huella digital. En cuanto a las soluciones previas a esta invención se pueden encontrar muchas como puede ser el sistema tradicional de autenticación biométrica, sistemas "Match . On Card", donde el componente biométrico se aloja en una tarjeta y la verificación se realiza en la propia tarjeta. La huella que se pone en el lector se compara de manera 1 a 1 , con la que está alojada dentro y el resultado siempre requiere de un ordenador donde mostrar el resultado de la verificación y un lector de huellas y de tarjetas, sin que esto realice ningún otro proceso adicional en la tarjeta. Estos tipos de sistemas se están encontrando con el mismo problema, la imposibilidad de desplegarse de forma masiva debido al coste de componentes, la incompatibilidad de sistemas como controladores, tarjetas, sistemas operativos, diferentes algoritmos asociados al reconocimiento de huellas, todo ello hace imposible una solución universal que sirva de base a diferentes procesos posteriores de manera escalable. Por otra parte, existe un índice de error y de inseguridad en el servicio ofrecido por este tipo de sistemas, principalmente debido a la posibilidad de poner una huella correcta en un lector distinto a aquél con el que se realizó el proceso de registro, y que se devuelva un error que se conoce como tasa de falso negativo. De manera similar, puede suceder que al utilizar distinto software de registro y de identificación y se produzca un error en la compatibilidad de la huella registrada. This system can be framed in the typology of biometric authentication solutions based on the fingerprint. As for the solutions prior to this invention, many can be found, such as the traditional biometric authentication system, "Match. On Card" systems, where the biometric component is housed in a card and the verification is carried out on the card itself. The fingerprint that is put on the reader is compared in a 1 to 1 way, with the one that is housed inside and the result always requires a computer to show the verification result and a fingerprint and card reader, without this No other additional process on the card. These types of systems are encountering the same problem, the inability to deploy in a massive way due to the cost of components, the incompatibility of systems such as controllers, cards, operating systems, different algorithms associated with fingerprint recognition, all this makes it impossible to universal solution that serves as a basis for different subsequent processes in a scalable way. On the other hand, there is an index of error and insecurity in the service offered by this type of systems, mainly due to the possibility of putting a correct fingerprint on a reader different from that with which the registration process was carried out, and that an error that is known as a false negative rate is returned. Similarly, it may happen that when using different registration and identification software, there is an error in the compatibility of the registered fingerprint.
Además de estos inconvenientes, los sistemas tradicionales de identificación biométrica se limitan a devolver un determinado dato que será la identidad del usuario que está usando el sistema. En cambio, el sistema BIA, ofrece una funcionalidad adicional integrando una plataforma de autenticación y de acceso a los datos alojados en bases de datos y que estén asociados a dicho usuario. Por tanto, además de devolver el dato identificativo del usuario, se puede devolver cualquier registro al que el sistema BIA tenga acceso. Esto es posible debido a que los diferentes módulos que se incorporan a la solución ya disponen de esas especificaciones. Estos módulos son plataformas de comunicación en sí mismas, sólo necesitan un lugar donde remitir la configuración y los datos que se requieren, y ya se puede obtener un canal seguro entre el emisor (un lector dé huellas sobre un pe o un dispositivo específico como FingerPad), y el receptor.  In addition to these inconveniences, traditional biometric identification systems are limited to returning a certain data that will be the identity of the user who is using the system. In contrast, the BIA system offers additional functionality by integrating an authentication platform and access to data hosted in databases that are associated with said user. Therefore, in addition to returning the user identification data, any record to which the BIA system has access can be returned. This is possible because the different modules that are incorporated into the solution already have these specifications. These modules are communication platforms in themselves, they only need a place to send the configuration and data that are required, and a secure channel between the sender can already be obtained (a fingerprint reader on a pe or a specific device such as FingerPad ), and the receiver.
Por tanto, el sistema BIA no se limita sólo a un sistema de identificación, está también orientado a ser una plataforma estándar, ampliable y escalable de comunicación entre procesos, que garantiza y verifica que el usuario es quién dice ser de manera unívoca. Si la comprobación del usuario es afirmativa también realiza otras operaciones a través de unas pasarelas. Dichas pasarelas se encargan de comunicar con otros módulos externos. Hasta el momento se han intentado establecer plataformas mediante dispositivos alternativos como pueden ser tarjetas bancarias, documentos de identidad o múltiples soluciones como passwords de un solo uso al móvil, sistemas de radio frecuencia, tarjetas de proximidad, etc pero todos tenían los problemas de la distribución, el mantenimiento, los costes asociados, la fiabilidad y la estandarización de los soportes. Therefore, the BIA system is not limited only to an identification system, it is also aimed at being a standard, scalable and scalable platform for interprocess communication, which guarantees and verifies that the user is who they say they are univocally. If the user check is affirmative, it also performs other operations through gateways. These gateways are responsible for communicating with other external modules. So far they have tried to establish platforms through alternative devices such as bank cards, identity documents or multiple solutions such as single-use passwords to mobile phones, radio frequency systems, proximity cards, etc. but all had distribution problems , maintenance, associated costs, reliability and standardization of the supports.
Estos inconvenientes son resueltos por el sistema BIA. Al estar basado en la huella digital y apoyado en un código identificador de usuario (pin) logra incrementar la seguridad y la protección. Adicionalmente, mediante un dispositivo específicamente diseñado para que el usuario pueda operar en el sistema se implementan las funcionalidades necesarias en un único aparato. Esto proporciona una alternativa para aquellos casos en los que no es posible o no es conveniente el uso de un ordenador con los periféricos e interfaces requeridos por el sistema BIA. Por todas estas características, el sistema BIA proporciona los requisitos necesarios de estándarización, fiabilidad, universalidad, escalabilidad, costes, etc... que requiere una plataforma de esta magnitud y su enfoque a un posterior despliegue a nivel mundial.  These inconveniences are resolved by the BIA system. Being based on the fingerprint and supported by a user identification code (pin) manages to increase security and protection. Additionally, by means of a device specifically designed so that the user can operate in the system, the necessary functionalities are implemented in a single device. This provides an alternative for those cases in which it is not possible or not convenient to use a computer with the peripherals and interfaces required by the BIA system. For all these characteristics, the BIA system provides the necessary requirements for standardization, reliability, universality, scalability, costs, etc ... that requires a platform of this magnitude and its approach to a subsequent worldwide deployment.
DESCRIPCIÓN DE LA INVENCIÓN DESCRIPTION OF THE INVENTION
La presente invención tiene por objeto un método para operar entre entornos de manera segura mediante la generación de un código identificativo (PIN) asociado al dato biométrico del usuario. Es también objeto de la presente invención un sistema, sistema BIA, que implementa dicho método. En particular, la presente invención propone un dispositivo específicamente diseñado para actuar como lector biométrico (p. e. para huella dactilar) dentro del sistema BIA, que integra además medios de procesado para la ejecución como una aplicación en el entorno cliente de aquellos pasos del método asociados junto con una interfaz de comunicación para introducir la información requerida para el registro de usuario y para las operaciones con el host. Este dispositivo en algunas realizaciones es portátil para habilitar su empleo en diversas circunstancias con independencia de la infraestructura disponible. The present invention aims at a method for operating between environments in a secure manner by generating an identification code (PIN) associated with the user's biometric data. The object of the present invention is also a system, BIA system, which implements said method. In particular, the present invention proposes a device specifically designed to act as a biometric reader (eg for fingerprint) within the BIA system, which also integrates processing means for execution as an application in the client environment of those associated method steps together with a communication interface to enter the information required for user registration and for operations with the host. This device in some embodiments is portable to enable its use in various circumstances regardless of the available infrastructure.
El sistema BIA parte preferentemente de un algoritmo estándar de autenticación biométrica de huella digital como BIOAPI, BAPI, CBEFF, ANSI x9.84, con esto se garantiza, al ser un algoritmo estándar, que la solución es compatible con el mayor número de lectores que existen actualmente en el mercado, y que en caso que' el sistema requiera de un cambio de algoritmo, esto no se reflejará en el funcionamiento del mismo. No obstante, en determinadas situaciones, principalmente por seguridad, puede ser preferible un algoritmo específicamente concebido para la autenticación. Tal puede ser el caso de aplicaciones militares. Además de esto, el sistema requiere de un entorno host, este entorno puede ser común para todas las aplicaciones del sistema, o específico según las necesidades, como ya hemos visto en el punto anterior. En este entorno se va a encontrar el motor de búsqueda y el sistema de generación automática de códigos identificadores de usuario (PIN), el motor de búsqueda recibe unos datos encriptados desde la aplicación de identificación o de registro, (según el proceso que se realice) y busca de acuerdo con el algoritmo recogido del posicionamiento de la huella en el lector. A través de la aplicación del algoritmo se recupera el binomio PIN + huella, se filtra en función del primero y se verifica con el segundo en el lector para de esta manera, poder enviar los datos asociados á los distintos módulos o pasarelas. The BIA system is preferably based on a standard fingerprint biometric authentication algorithm such as BIOAPI, BAPI, CBEFF, ANSI x9.84, this guarantees, being a standard algorithm, that the solution is compatible with the largest number of readers that they currently exist in the market, and in case the system requires a change in algorithm, this will not be reflected in its operation. However, in certain situations, mainly for security, an algorithm specifically designed for authentication may be preferable. Such may be the case with military applications. In addition to this, the system requires a host environment, this environment can be common for all system applications, or specific according to needs, as we have seen in the previous point. In this environment you will find the search engine and the system of automatic generation of user identification codes (PIN), the search engine receives encrypted data from the identification or registration application, (depending on the process performed ) and search according to the algorithm collected from the positioning of the fingerprint in the reader. Through the application of the algorithm, the PIN + fingerprint binomial is retrieved, filtered according to the first one and verified with the second one in the reader, in order to send the associated data to the different modules or gateways.
En la presente, invención se contempla el caso eventual de que exista más de una huella por pin y de que existan usuarios con huellas parecidas. Este enfoque evita la limitación del número de usuarios por el número de dígitos del pin sin que disminuya la seguridad. De lo contrario, un formato de pin de 4 dígitos sólo permitiría 10000 usuarios. Por esta razón, se compara la huella del usuario entre todas aquellas huellas a las que le corresponda el mismo pin introducido por el usuario, y se logra tener más de una huella por pin. In the present invention, the eventual case that there is more than one fingerprint per pin and that there are users with similar fingerprints is contemplated. This approach avoids limiting the number of users by the number of digits of the pin without decreasing security. Otherwise, a 4-digit pin format would only allow 10,000 users. For this reason, the user's fingerprint is compared between all those fingerprints that correspond to the same pin entered by the user, and it is possible to have more than one fingerprint per pin.
Como se mencionaba, por robustez, el proceso de registro de un usuario conlleva un análisis previo de posibles conflictos en la verificación de la huella y previene problemas, ya que se hace un "1 contra n" sobre todas las huellas registradas. Esto indica las huellas que tienen mayor porcentaje de error, con lo que se eliminan aquellos pines asociados a esas huellas como pin posible para ese nuevo registro. Por tanto, ofreciendo al usuario uno de los restantes, se garantiza que no va a haber conflicto con huellas problemáticas. As mentioned, by robustness, the process of registering a user involves a prior analysis of possible conflicts in the verification of the fingerprint and prevents problems, since a "1 against n" is made on all the registered fingerprints. This indicates the fingerprints that have the highest percentage of error, which eliminates those pins associated with those fingerprints as a possible pin for that new record. Therefore, offering the user one of the remaining ones, it is guaranteed that there will be no conflict with problematic fingerprints.
En términos de comunicación, el sistema está provisto de un entorno seguro de transferencia de datos mediante comunicaciones cifradas y encriptadas entre las aplicaciones de uso y registro y el host, este host implementará otra encriptación distinta a la hora de comunicar con el entorno cliente o las distintas pasarelas o módulos, en el caso de que el sistema esté separado en dos entornos diferentes. La base de datos en la que sustenta la solución es independiente al sistema ya que mediante un configurador inicial, sólo son necesarias unas credenciales que monten los registros y las tablas definidas como esenciales para la solución. Esto es, se puede utilizar cualquier base de datos que esté funcionado previamente, ya que sólo requiere de unos campos adicionales de donde se sacará la información y el sistema (servidor) mantendrá siempre esos registros en memoria, sin aumentar el trabajo para esa base de datos, ni requerir una en exclusiva. In terms of communication, the system is provided with a secure data transfer environment through encrypted and encrypted communications between the use and registration applications and the host, this host will implement a different encryption when communicating with the client environment or different gateways or modules, in case the system is separated in two different environments. The database on which the solution is based is independent of the system since, by means of an initial configurator, only credentials that mount the records and tables defined as essential for the solution are necessary. That is, you can use any database that is previously operated, since it only requires some additional fields from which the information and the system will be extracted (server) will always keep those records in memory, without increasing the work for that database, nor requiring an exclusive one.
El sistema funciona de la siguiente manera. System works this way:
Proceso de registro: Registration process:
1. El usuario se presenta en un entorno de registro presentando la documentación requerida.  1. The user is presented in a registration environment presenting the required documentation.
2. A continuación se accede a la aplicación de registro donde se enlazan los datos personales del usuario a un identificador. Este identificador es un dato interno que eplaza los datos de usuario con los de la plataforma que opera por detrás Uno de esos datos personales es el dato biométrico de su huella digital, este dato en ningún momento está compuesto por la imagen de la huella. Por el contario, es sólo un código algorítmico que representa los puntos de minucia de la huella del usuario correspondiente y que se consigue con el posicionamiento de la huella varias veces sobre el lector, generalmente con 4 veces será suficiente en la mayoría de casos. Este lector de registro puede ser el integrado en el lector biométrico avanzado propuesto en la presente invención o en cualquier otro dispositivo compatible.  2. The registration application is then accessed where the user's personal data is linked to an identifier. This identifier is an internal data that replaces the user data with those of the platform that operates behind. One of these personal data is the biometric data of your fingerprint, this data is never composed of the image of the fingerprint. On the contrary, it is only an algorithmic code that represents the minute points of the corresponding user's fingerprint and that is achieved with the positioning of the fingerprint several times on the reader, generally with 4 times it will be sufficient in most cases. This log reader can be the one integrated in the advanced biometric reader proposed in the present invention or in any other compatible device.
3. En cuanto a los datos adicionales ,(que también pueden ser requeridos en otro momento), son todos aquellos que puedan ser usados en diferentes operaciones o procesos, como un número de teléfono para la realización dé llamadas o envíos de mensajes, un correo electrónico para el envío de mail, diferentes números de cuenta para poder seleccionar la más conveniente para efectuar los pagos, direcciones de envío para no tener que indicarla de nuevo en procesos posteriores, así como cualquier dato suplementario que pueda ser requerido con posterioridad para la realización del proceso. Es importante remarcar que estos datos pueden ser ampliados o . modificados en cualquier momento con independencia al funcionamiento normal de la solución.  3. As for the additional data, (which may also be required at another time), they are all those that can be used in different operations or processes, such as a telephone number for making calls or sending messages, an email electronic mail for sending, different account numbers to be able to select the most convenient to make payments, shipping addresses so as not to have to indicate it again in subsequent processes, as well as any additional data that may be required later for the realization of process. It is important to note that this data can be extended or. modified at any time regardless of the normal operation of the solution.
4. En el momento del primer posicionamiento de la huella para el registro, el sistema automáticamente recupera esa huella del lector y hace una búsqueda de la misma contra todos los registros de la base de datos (lo que se conoce como una búsqueda "1 contra n").  4. At the time of the first positioning of the fingerprint for the record, the system automatically retrieves that fingerprint from the reader and does a search of it against all records in the database (what is known as a search "1 against n ").
5. El resultado de la búsqueda recupera todas las huellas "conflictivas", esto es, todas las huellas que pueden, en un momento determinado, confundirse con la del usuario en un proceso normal.  5. The search result recovers all "conflicting" traces, that is, all traces that may, at a given time, be confused with that of the user in a normal process.
6. Como cada huella introducida en el sistema tiene un código identificativo de usuario (PIN), el sistema recupera los pines de las huellas afines (que han resultado conflictivas) para evitar posibles confusiones con la introducida por el usuario, a la hora de dar el PIN asociado al nuevo registro del usuario, generando de manera aleatoria, uno específico para ese proceso de registro que será distinto a los de huellas afines. 6. As each fingerprint entered in the system has an identification code of user (PIN), the system recovers the pins of the related fingerprints (which have been conflicting) to avoid possible confusion with the one entered by the user, when giving the PIN associated with the new user registration, generating randomly, a specific one for that registration process that will be different from those of related footprints.
7. El proceso de registro acaba con la entrega de ese pin al usuario, de la manera que sea dispuesta, bien por su envío a un número de móvil, al domicilio, o simplemente mostrándoselo en una pantalla o impreso en un papel. 7. The registration process ends with the delivery of that pin to the user, in whatever way it is arranged, either by sending it to a mobile number, to the address, or simply showing it to us on a screen or printed on paper.
La clave personal PIN sirve también para cifrar el código identificador de la huella del usuario. Es decir, el. usuario cuando coloca la huella sobre el lector, el sistema ya recoge este código algorítmico personal, dado, preferentemente por un algoritmo estándar. A la vez el usuario introduce el pin, con estos dos datos se genera solamente uno que se envía al servidor que lo descompone ent sus dos partes y busca el pin en el sistema. Una vez que lo localiza, verifica la huella asociada. Puede haber más de una huella distinta asociada al mismo pin, pero como en el registro inicial ya se ha verificado que las huellas que comparten pin no van a ser conflictivas puesto que no son parecidas. The personal PIN code is also used to encrypt the user's fingerprint identification code. That is, the. When the user places the fingerprint on the reader, the system already collects this personal algorithmic code, given, preferably by a standard algorithm. At the same time the user enters the PIN, these two data is generated only one that is sent to the server that breaks down into two parts t and locate the pin in the system. Once located, check the associated footprint. There may be more than one different fingerprint associated with the same pin, but as in the initial registration it has already been verified that the fingerprints that share the pin will not be conflicting since they are not similar.
Una vez que el usuario ya está registrado en el sistema se puede proceder a su uso. Como se ha comentado con anterioridad el sistema BIA es una solución de autenticación fuerte, es decir, garantiza la identidad del usüario que realiza la operación. Esta operación es realizada por el módulo que se incorpore sobre la plataforma, como puede ser, un pago, una acumulación de puntos, una firma digital, un fichaje, un acceso, o cualquier otro sistema que requiera de una autenticación fuerte. Once the user is already registered in the system, it can be used. As previously mentioned, the BIA system is a strong authentication solution, that is, it guarantees the identity of the user who performs the operation. This operation is performed by the module that is incorporated on the platform, such as a payment, an accumulation of points, a digital signature, a signing, an access, or any other system that requires strong authentication.
Una vez comentados los procesos que se pueden desencadenar tras la identificación del usuario, vamos a explicar el proceso de uso.  Once the processes that can be triggered after user identification have been discussed, we will explain the use process.
Proceso de uso: Usage Process:
1. El usuario quiere identificarse ante el sistema para realizar su .servicio específico, ya sea el pago de productos o servicios, una operación de firma, de acumulación de puntos, acceder a un entorno, o cualquier otra posibilidad de las que aporta el sistema.  1. The user wants to identify themselves to the system to perform their specific service, whether it is the payment of products or services, a signature operation, accumulation of points, access to an environment, or any other possibility provided by the system .
2. El usuario accede al lugar dispuesto a tal efecto, esto es, un ordenador con el software cliente un lector de huella y un teclado numérico, en ese momento el operador teclea el importe en el teclado numérico, y acepta la operación. 2. The user accesses the place provided for this purpose, that is, a computer with the client software, a fingerprint reader and a numeric keypad, at that time the operator types the amount on the numeric keypad, and accepts the operation.
3. A continuación, el usuario deberá teclear su identificador personal (pin) y posicionar la huella en el lector puesto a tal efecto.3. Next, the user must enter his personal identifier (pin) and position the fingerprint on the reader set for this purpose.
. Este dato se envía de forma segura al servidor, y en caso de que ambos datos sean verificados de manera afirmativa, se procede a realizar el proceso para el que esa aplicación está habilitada, esto es, un pago, un incremento de puntos, una apertura de un acceso, una firma, etc, . This data is sent securely to the server, and in case both data are affirmatively verified, the process for which that application is enabled is carried out, that is, a payment, an increase in points, an opening of an access, a signature, etc,
. Este proceso que se realiza después de la autenticación del usuario puede requerir de cualquier otro dato adicional al identificador personal. El sistema, en este punto, puede enviar cualquier dato de que disponga en su base de datos, como puede ser, el número de cuenta al que cargarlo, la dirección de envío, el número de teléfono, etc. Con esto los módulos adheridos al sistema, en cualquier caso podrán recibir cualquier información adicional del usuario, siempre que ésta haya sido cargada previamente en el sistema.. This process that is performed after user authentication may require any additional information to the personal identifier. The system, at this point, can send any data that it has in its database, such as the account number to be loaded, the shipping address, the telephone number, etc. With this the modules attached to the system, in any case they can receive any additional information from the user, provided that it has been previously loaded into the system.
. Tras la realización de la operación, el sistema puede avisar al usuario según haya sido configurado, mediante indicadores en la pantalla del drdenador o el FingerPad (1 ), mediante el envío del un mail o un sms, o cualquier otro sistema de notificación requerido. Siempre que ese dato de notificación haya sido previamente cargado en el sistema.. After performing the operation, the system can notify the user as configured, by means of indicators on the screen of the computer or the FingerPad (1), by sending an email or an SMS, or any other required notification system. Provided that notification data has been previously loaded into the system.
. En caso de que esa operación no sea válida se pueden realizar diferentes opciones como pueden ser: pedir al usuario que vuelva a introducir sus credenciales, pedir otro método de autenticación, identificar al usuario en una búsqueda 1 contra n devolviendo o no, el pin asociado en caso de que esté en el sistema, o indicarle que no es un usuario registrado y que realice el registro para usar el sistema. Con todo esto, lo que el sistema BIA de autenticación fuerte ofrece es un entorno de identificación unívoca de los usuarios, generando una plataforma donde se pueden ir incorporando módulos que realicen diferentes procesos, estos procesos pueden delegar la autenticación en este sistema, ya que siempre mantendrá un identificador válido del usuario, así como cualquier dato de interés para la operación, que haya sido introducido en el proceso de registro. . In the event that this operation is not valid, different options can be made, such as: asking the user to re-enter their credentials, requesting another authentication method, identifying the user in a search 1 against or returning or not, the associated pin in case you are in the system, or indicate that you are not a registered user and that you register to use the system. With all this, what the strong authentication BIA system offers is a unique user identification environment, generating a platform where modules that perform different processes can be incorporated, these processes can delegate authentication to this system, since always will maintain a valid user identifier, as well as any data of interest for the operation, which has been introduced in the registration process.
Como se ha explicado con anterioridad, la presente invención propone un novedoso componente hardware que se denomina FingerPad y que implementa las funcionalidades requeridas en un dispositivo. Esta solución hace verdaderamente ventajoso y diferenciador al sistema frente a otros dotándolo de autonomía.  As explained above, the present invention proposes a novel hardware component called FingerPad and that implements the functionalities required in a device. This solution makes the system truly advantageous and differentiating from others, giving it autonomy.
Este dispositivo FingerPad (1 ) es un elemento formado externamente por una pantalla (2),. para mostrar diferentes estados o procesos, un teclado numérico para ¡nteractuar con el sistema (3), un lector de huellas (4) para realizar los procesos de registro y de identificación de usuario (en caso de no disponer de otro), y unos componentes de comunicaciones (5). Estos componentes de comunicaciones pueden variar para adaptarse e ¡nteractuar con la tecnología existente. Por ejemplo, se han previsto diferentes versiones que contemplan comunicación WIFI, GPRS, Ethernet, Bluetooth, cable USB directo, infrarrojos, entre otros. Sin embargo, el BIA se puede adaptar con pequeñas modificaciones a cualquier otro sistema de comunicación: En cuanto a lá energía, preferentemente el dispositivo está preparado para ser móvil, por lo que debe disponer de una batería recargable que dependiendo de los modelos puede variar en el método de recarga y la duración de la misma. No obstante, en otras posibles realizaciones del dispositivo, éste puede ser alimentado por la red eléctrica o mediante células solares. This FingerPad device (1) is an element formed externally by a screen (2). to show different states or processes, a numeric keypad to interact with the system (3), a fingerprint reader (4) to perform the registration and user identification processes (if no other is available), and communications components (5). These communications components may vary to adapt and interact with existing technology. For example, different versions are planned that include WIFI, GPRS, Ethernet, Bluetooth, direct USB cable, infrared, among others. However, the BIA can be adapted with small modifications to any other communication system: As for the energy, preferably the device is prepared to be mobile, so it must have a rechargeable battery that depending on the models can vary in the recharge method and its duration. However, in other possible embodiments of the device, it may be powered by the power grid or by solar cells.
BREVE DESCRIPCIÓN DE LOS DIBUJOS BRIEF DESCRIPTION OF THE DRAWINGS
Fig. 1 muestra una imagen identificativa de la arquitectura del entorno host. Fig. 1 shows an identifying image of the architecture of the host environment.
Fig. 2 muestra un esquema ilustrativo de las funciones de comunicación del sistema. Fig. 3 representa una posible realización del dispositivo FingerPad (1) y de sus componentes. Fig. 2 shows an illustrative scheme of the communication functions of the system. Fig. 3 represents a possible embodiment of the FingerPad device (1) and its components.
Fig. 4a y 4b se muestra un diagrama de bloques para el proceso de registro de un usuario.  Fig. 4a and 4b shows a block diagram for the process of registering a user.
Fig. 5 diagrama funcional entorno host  Fig. 5 functional diagram host environment
Fig. 6 diagrama de flujo del registro de un usuario. Fig. 6 flow chart of a user's record.
Fig. 7 diagrama de flujo de la operación de un usuario con el sistema BIA. Fig. 7 flow chart of the operation of a user with the BIA system.
REALIZACIÓN PREFERENTE DE LA INVENCIÓN PREFERRED EMBODIMENT OF THE INVENTION
Tal como se observa en la figura 1 en cuanto a arquitectura y en la figura 2 en cuánto a comunicaciones, el sistema BIA de identificación de usuarios mediante huella digital y pin consta de: As can be seen in figure 1 in terms of architecture and in figure 2 in terms of communications, the BIA user identification system using fingerprint and pin consists of:
- Entorno host: en este entorno se implantan las funcionalidades del algoritmo estándar de identificación biométrica con las optimizaciones descritas con anterioridad, el sistema de generación de códigos de usuario, la base de datos asociada al sistema y las aplicaciones propietarias que. realizan las operaciones de análisis y control de usuarios.  - Host environment: in this environment the functionalities of the standard biometric identification algorithm with the optimizations described above, the user code generation system, the database associated with the system and the proprietary applications that are implemented are implemented. Perform user analysis and control operations.
- Entorno cliente: . desde ei entorno cliente se comunican ias operaciones realizadas por el usuario ' con el host. Estas aplicaciones realizan las funciones de registro de credenciales e identificación de usuarios, dependiendo del proceso en el que se esté. - Client environment:. operations are communicated from the client environment made by the user 'with the host. These applications perform the functions of credential registration and user identification, depending on the process in which you are.
Comunicaciones: existen dos tipos1 de comunicaciones, la del entorno cliente con el servidor, y las del servidor con la pasarela, módulo o sistema que explota los datos recogidos. Para el primer caso, todas las comunicaciones van encriptadas mediante certificados digitales y una parte de esos datos corresponde al ¡dentificador de la aplicación, ya que esta se autentica ante el servidor para garantizar su integridad, estas aplicaciones pueden ser web o escritorio siempre que haya comunicación con el sistema. Para el segundo caso, el servidor comunicando con la pasarela^ la encriptación, niveles de seguridad y protocolos de autenticación vendrán dados por el módulo que se quiera implementar, no es lo mismo asegurar una pasarela de pagos que un sistema de fideíización. Communications: there are two types 1 of communications, that of the client environment with the server, and those of the server with the gateway, module or system that exploits the data collected. For the first case, all communications are encrypted using digital certificates and a part of that data corresponds to the application dentist, since this is authenticated to the server to guarantee its integrity, these applications can be web or desktop whenever there is communication with the system. For the second case, the server communicating with the gateway ^ the encryption, security levels and authentication protocols will be given by the module that you want to implement, it is not the same to ensure a payment gateway that a trust system.
Interfaz de usuario: la interfaz de usuario es la manera en que los usuarios interactúan con el sistema. Como hemos comentado con anterioridad, el sistema requiere de un software que contiene unos procesos y unas comunicaciones, estos componentes se deben instalar en un pe. Los componentes directos de interacción con el usuario son el teclado numérico y el lector de huellas. En caso de entornos pequeños y aislados, el uso del pin puede no ser obligatorio ya que el sistema en sí mismo es suficientemente seguro. User interface: the user interface is the way users interact with the system. As we have said before, the system requires software that contains processes and communications, these components must be installed in a pe. The direct components of user interaction are the numeric keypad and the fingerprint reader. In the case of small and isolated environments, the use of the pin may not be mandatory since the system itself is sufficiently secure.
Como añadido a este interfaz de usuario y gran elemento innovador de esta solución, se puede destacar el FingerPad (1). Este dispositivo compuesto por los componentes descritos en la imagen 3, permite el uso del sistema con independencia a que exista o no un PC asociado. El FingerPad (1) dispone de todo el software necesario instalado, de distintos paquetes de comunicaciones en función de las necesidades y de los módulos que se integren, y da movilidad debido a su sistema autónomo de energía recargable. El dispositivo permite la interacción con los datos de las operaciones a través de la botonera que tiene integrada, y con la identificación de usuarios del lector compatible que incorpora.  As added to this user interface and great innovative element of this solution, you can highlight the FingerPad (1). This device composed of the components described in image 3, allows the use of the system regardless of whether or not there is an associated PC. The FingerPad (1) has all the necessary software installed, different communication packages depending on the needs and the modules that are integrated, and gives mobility due to its autonomous system of rechargeable energy. The device allows interaction with the data of the operations through the keypad that has integrated, and with the identification of users of the compatible reader that it incorporates.
Módulos, plataformas o procesos asociados: como hemos dicho con antelación, el sistema proporciona una base de identificación completa para diferentes entornos. Un componente fundamental de la solución son estos paquetes de explotación, como ya hemos visto, se van a ir incorporando diferentes módulos con el paso del tiempo, cada uno de ellos llevara unos determinadas características, con diferentes campos registrados, diferentes procesos de verificación, diferentes comunicaciones, pero lo que se tratas es que cualquier método de registro, comunicaciones, pago, acceso, etc, pueda tener un módulo previamente configurado en el sistema BIA para poder usarlo como canal de identificación. Modules, platforms or associated processes: as we have said in advance, the system provides a complete identification base for different environments. A fundamental component of the solution is these exploitation packages, as we have already seen, different modules will be incorporated over time, each of them will take about certain characteristics, with different registered fields, different verification processes, different communications, but what is treated is that any method of registration, communications, payment, access, etc., can have a module previously configured in the BIA system to be able to use it as identification channel
Sistema de registro de operaciones: La base de datos que contiene los registros de los usuarios, puede llegar a contener los datos de las operaciones realizas, con esto, el sistema implementa un sistema de envío de ticket al móvil, mail o cualquier sistema de comunicación, para poder verificar las operaciones realizadas, es más, esos datos estarán accesibles en una página web, para que cualquier usuario, tras identificarse, pueda llevar un control de las operaciones realizadas mediante este sistema, y así mantener todos sus ticket o facturas de manera segura y organizada. Una vez descritos los componentes que forman la solución, pasamos a describir un ejemplo de uso, indicando en él, los pasos que serían comunes para cualquier plataforma o módulo asociado, y los que serían propios para este ejemplo en particular:  Operations registration system: The database that contains the user records, may contain the data of the operations performed, with this, the system implements a system for sending a ticket to the mobile, mail or any communication system , in order to verify the operations carried out, moreover, that data will be accessible on a web page, so that any user, after identifying himself, can keep track of the operations carried out through this system, and thus keep all his tickets or invoices in a manner Safe and organized. Once the components that form the solution have been described, we will describe an example of use, indicating in it, the steps that would be common for any associated platform or module, and those that would be proper for this particular example:
Ejemplo de Sistema BIA con plataforma de medio de pago.  Example of BIA System with payment method platform.
Para incorporar una plataforma de pago al sistema BIA, hay que tener claro los diferentes campos o registros que van a ser útiles para el sistema. En este caso entendemos que son necesarios los dato.s de: To incorporate a payment platform into the BIA system, it is necessary to be clear about the different fields or records that will be useful for the system. In this case we understand that the data of:
Número o números de cuenta  Account number or numbers
- Nombre del usuario  - User name
- Número de teléfono  - Phone number
- Dirección de email  - Email address
- Número de DNI  - ID number
Dependiendo del grado de seguridad que requiera el sistema, estos datos podrán necesitar de algún otro elemento de verificación.  Depending on the degree of security required by the system, this data may require some other verification element.
Una vez que están definidos todos los datos requeridos, éstos se añaden en la aplicación del proceso de registro. Desde ahora cualquier entorno que quiera o pueda ser entorno de registro del sistema BIA para plataformas de medio de pago, podrá realizarlo haciendo uso de esta aplicación, permitiendo determinadas modificaciones en función de las necesidades. Once all the required data is defined, these are added in the application of the registration process. From now on any environment that wants or can be a BIA system registration environment for payment methods platforms, can be done using this application, allowing certain modifications depending on the needs.
Una vez dispuesta esta aplicación, los usuarios podrán realizar estos registros en los entornos distribuidos a tal efecto. Once this application is ready, users will be able to make these records in the distributed environments for this purpose.
El registro consistirá en rellenar los datos indicados y registrar las huellas digitales, tal como se ha indicado previamente. El número de huellas registradas y la validez de varias huellas para una persona o varias huellas de personas distintas para un solo identificador, dependerá de las especificaciones de la plataforma en cuestión o del cliente final. The registration will consist of filling in the indicated data and registering the fingerprints, as previously indicated. The number of traces registered and the validity of several traces for one person or several traces of different persons for a single identifier will depend on the specifications of the platform in question or the end customer.
Después de realizar las comprobaciones pertinentes, el sistema generará un código idéntificativo de ese usuario que se le mostrará o se le enviará, en función de las configuraciones del sistema y de los datos de que se disponga. After performing the relevant checks, the system will generate an identical code of that user that will be shown or sent to you, depending on the system settings and the data available.
Como se ha dicho con anterioridad, éste pin puede ser generado o no, al igual qué puede ser requerido, o no, esto dependerá del número de usuarios que tenga el sistema y del grado de seguridad que se quiera aportar, partiendo de la base que el máximo nivel de seguridad se aporta, con algo que tienes, tu dedo, algo que sabes, tu pin, y algo que eres. As stated previously, this pin can be generated or not, just as it may be required, or not, this will depend on the number of users that have the system and the degree of security that you want to provide, based on the basis that The maximum level of security is provided, with something you have, your finger, something you know, your pin, and something you are.
Una vez que el usuario esta registrado y ha incluido todos los datos requeridos, y en alguno de ellos varios, como puede ser, varios números de cuentas habilitadas para ese dedo, se procede a realizar el pago de una serie de productos y servicios. El sistema está configurado para permitir que un mismo usuario registre más de una huella digital y que esa información biométrica sea asociada a diferentes datos (p. ej. números de cuenta). Opcionalmente, también es viable disponer de varias huellas del usuario autorizadas y registradas en el sistema para que sean asociadas a los mismos datos con lo que se minimizan los problemas de falso negativo.  Once the user is registered and has included all the required data, and in some of them several, such as several numbers of accounts enabled for that finger, the payment of a series of products and services is made. The system is configured to allow the same user to register more than one fingerprint and that biometric information is associated with different data (eg account numbers). Optionally, it is also feasible to have several user traces authorized and registered in the system so that they are associated with the same data, minimizing false negative problems.
Volviendo al momento de efectuar el pago, el sistema recupera el dato del importe, o bien mediante alguna conexión al sistema tradicional de cobro, o bien por la inserción de ese dato por el teclado del FingerPad, o del proporcionado por el sistema. A continuación, el sistema pedirá la identificación del usuario mediante la inserción del pin, en caso de que sea necesario, y el posicionamiento de la huella. Returning to the moment of making the payment, the system recovers the data of the amount, either by means of some connection to the traditional system of collection, or by the insertion of that data by the keyboard of the FingerPad, or of the provided by the system. Next, the system will ask for user identification by inserting the pin, if necessary, and positioning the fingerprint.
Si todo va bien, el sistema reconocerá unívocamente al usuario que ha realizado la operación, y devolverá los datos que requiera, por un lado al cliente, y por otro lado a la pasarela de pago en este caso o al módulo que se esté usando en ese momento. Estos procesos son comunes a todos los módulos adheridos al sistema, a partir de que el módulo identifica al usuario y la operación, éste realizará las operaciones requeridas y devolverá, en caso de que sea requerida, la información al usuario. Para el ejemplo del que estamos tratando, como el dato que requiere el sistema de pago és el número de cuenta, y el usuario introdujo dos datos en el mismo registro, el sistema mostrará los dos, de manera segura mediante encriptación de los números o el uso de alias, para que el usuario elija con la que quiere operar en ese momento. Esto abre la puerta a otras posibilidades de pago como puede ser el pre pago, la cuenta corriente, una cuenta de crédito, etc. El resultado de la operación se enviará a un repositorio accesible para el usuario, un móvil, una dirección de correo, o cualquier sistema asociado a la solución y que disponga de ese dato del usuario. Este dato puede ser meramente informativo o bien puede conllevar algún tipo de interacción por parte del usuario,, como puede ser validar la operación o simplemente recuperar el dato de operación y poder disponer de un repositorio web para el control de sus operaciones. If all goes well, the system will uniquely recognize the user who has performed the operation, and return the data that it requires, on the one hand to the customer, and on the other hand to the payment gateway in this case or to the module that is being used in that moment. These processes are common to all modules attached to the system, since the module identifies the user and the operation, he will perform the required operations and return, if required, the information to the user. For the example we are dealing with, as the data required by the payment system is the account number, and the user entered two data in the same register, the system will show both, securely by encrypting the numbers or the use of aliases, so that the user chooses the one he wants to operate at that time. This opens the door to other payment options such as pre-payment, checking account, credit account, etc. The result of the operation will be sent to a repository accessible to the user, a mobile, an email address, or any system associated with the solution and that has that user data. This data can be merely informative or it may involve some kind of interaction by the user, such as validating the operation or simply recovering the operation data and having a web repository to control their operations.
Como añadido a este punto e independiente del ejemplo anterior, siempre que el sistema tenga acceso a la operación realizada, ya sea una compra, un acceso así como cualquier proceso, se puede recuperar en un entono web, para que, previa autenticación del usuario, éste pueda ver todas las operaciones realizadas, pudiendo llegar a prescindir de la entrega de papel, debido a que el ticket o boleta puede enviarse al móvil, e incluso puede verse desde internet y así poder disponer de un sistema de registro de las operaciones. As an addition to this point and independent of the previous example, as long as the system has access to the operation performed, be it a purchase, an access as well as any process, it can be retrieved in a web environment, so that, prior user authentication, This one can see all the operations carried out, being able to dispense with the delivery of paper, because the ticket or ticket can be sent to the mobile, and can even be viewed from the internet and thus be able to have a system for recording the operations.

Claims

REIVINDICACIONES
1.- Método para identificar a un usuario y operar con una aplicación externa caracterizado por que comprende los siguientes pasos: 1.- Method to identify a user and operate with an external application characterized by comprising the following steps:
- leer y codificar la información biométrica de acceso del usuario que opera con una aplicación externa mediante un terminal,  - read and encode the user access biometric information that operates with an external application through a terminal,
- enviar hasta un servidor la información biométrica de acceso,  - send the biometric access information to a server,
- validar la información biométrica de acceso con la información, de registro de usuarios que reside en el servidor,  - validate the biometric access information with the user registration information that resides on the server,
- completar, con la información de registro correspondiente a dicho usuario, los datos requeridos para operar con la aplicación externa mediante una pasarela que interactúa entre la aplicación externa y el servidor y notifica al servidor el resultado de la ejecución de la aplicación externa,  - complete, with the registration information corresponding to said user, the data required to operate with the external application by means of a gateway that interacts between the external application and the server and notifies the server of the result of the execution of the external application,
2.- Método según la reivindicación 1 , caracterizado por que la información biométrica leída es una huella digital. 2. Method according to claim 1, characterized in that the biometric information read is a fingerprint.
3. - Método según la reivindicación 2, caracterizado por que además de la 3. - Method according to claim 2, characterized in that in addition to the
información biométrica, el usuario introduce una clave personal o pin asociado. Biometric information, the user enters a personal key or associated pin.
4. - Método según una cualquiera de las reivindicaciones anteriores, caracterizado por que alta de un usuario en el sistema comprende los siguientes pasos: 4. - Method according to any one of the preceding claims, characterized in that the registration of a user in the system comprises the following steps:
- extraer de su huella digital los puntos de minucia para la identificación unívoca del usuario en el sistema,  - extract from your fingerprint the minute points for the unique identification of the user in the system,
- comparar la huella del usuario con huellas de usuarios registrados en el sistema para generar una clave personal o pin asociado a dicha huella que cumpla ser distinto de aquellos asociados a huellas con puntos de minucia parecidos, - compare the user's footprint with user footprints registered in the system to generate a personal key or pin associated with that fingerprint that is different from those associated with fingerprints with similar minute points,
- comunicar al usuario cual es la clave personal o pin que tiene asociada la huella digital registrada. - Communicate to the user what is the personal key or pin associated with the registered fingerprint.
5. - Método según una cualquiera de las reivindicaciones anteriores, caracterizado por que la clave personal o pin se emplea en la codificación de la información biométrica mediante el empleo de un algoritmo. 5. - Method according to any one of the preceding claims, characterized in that the personal key or pin is used in the coding of the biometric information by means of the use of an algorithm.
6.- Método según la reivindicación 5, caracterizado por que el algoritmo empleado es un algoritmo estándar escogido entre BIOAPI, BAPI, CBEFF o ANSI x9.84. 6. Method according to claim 5, characterized in that the algorithm used is a standard algorithm chosen from BIOAPI, BAPI, CBEFF or ANSI x9.84.
7.- Método según una cualquiera de las reivindicaciones anteriores, caracterizado por que además comprende un paso para almacenar la información relativa a la operación realizada por el usuario en una base de datos. 7. Method according to any one of the preceding claims, characterized in that it also comprises a step for storing information related to the operation performed by the user in a database.
8.- Método según una cualquiera de las anteriores, caracterizado por que el resultado de la aplicación externa recibido en el servidor se comunica al usuario mediante al menos una de las siguientes acciones: 8.- Method according to any one of the above, characterized in that the result of the external application received on the server is communicated to the user by at least one of the following actions:
- transmitir un SMS,  - transmit an SMS,
- mostrar por información relacionada por una pantalla,  - show by related information on a screen,
- imprimir un justificante,  - print a receipt,
- registrar la operación en un entornó WEB,  - register the operation in a web site,
- enviar un correo electrónico,  - send an e-mail,
- realizar una llamada telefónica.  - make a phone call.
9.- Método según una cualquiera de las reivindicaciones anteriores, caracterizado por que un mismo usuario tiene registradas en el sistema varias huellas digitales asociadas a datos. 9. Method according to any one of the preceding claims, characterized in that the same user has several fingerprints associated with data registered in the system.
10. - Dispositivo de identificación de usuarios y ejecución de operaciones de aplicaciones extemas caracterizado por que implementa : 10. - User identification device and execution of external application operations characterized by that it implements:
- un lector para recoger información biométrica de un usuario,  - a reader to collect biometric information from a user,
- medios de procesamiento para la codificación y descodificación de información, - processing means for encoding and decoding information,
- medios para la introducción de una clave personal, - means for entering a personal password,
- medios para comunicación con un servidor,  - means for communication with a server,
- medios para mostrar información al usuario.  - means to show information to the user.
11. - Dispositivo según reivindicación 10, caracterizado por que el lector es un lector de huellas digitales. 11. - Device according to claim 10, characterized in that the reader is a fingerprint reader.
12.- Dispositivo según reivindicaciones 10 u 11 , caracterizado por que los medios para la introducción de datos son un teclado. 12. Device according to claims 10 or 11, characterized in that the means for entering data is a keyboard.
13.- Dispositivo según una cualquiera de las reivindicaciones 10 a 12, caracterizado por que los medios de comunicación comprenden al menos uno de los siguientes componentes: 13. Device according to any one of claims 10 to 12, characterized in that the communication means comprise at least one of the following components:
- módem GPRS inalámbrico,  - wireless GPRS modem,
- tarjeta de red Ethernet, - tarjeta inalámbrica compatible con IEEE 802.11 - Ethernet network card, - IEEE 802.11 compatible wireless card
- tarjeta compatible con Bluetooth,  - Bluetooth compatible card,
- puerto USB.  - USB port.
14.- Dispositivo según una cualquiera de las reivindicaciones 10 a 13, caracterizado por que dispone de baterías para funcionar sin conectar a la red eléctrica. 14. Device according to any one of claims 10 to 13, characterized in that it has batteries to operate without connecting to the mains.
15.- Sistema para identificar a un usuario y operar con una aplicación externa caracterizado, por que comprende: 15.- System to identify a user and operate with an external application characterized by:
- un terminal que comprende a su vez medios para leer y para codificar la información biométrica de acceso del usuario que opera con una aplicación externa y medios para comunicar la información codificada  - a terminal which in turn comprises means for reading and coding the user access biometric information that operates with an external application and means for communicating the encoded information
- un servidor que comprende a su vez  - a server that in turn understands
- medios para acceder a la información de registro de usuarios,  - means to access user registration information,
- medios para recibir la información biométrica de acceso del terminal y las notificaciones de una pasarela,  - means to receive the terminal's biometric access information and notifications from a gateway,
- medios para comunicar con un terminal  - means to communicate with a terminal
- medios para validar dicha información biométrica con la información de registro de usuarios para completar los datos requeridos por la aplicación externa,  - means to validate said biometric information with user registration information to complete the data required by the external application,
- una pasarela que comprende a su vez  - a gateway that includes
- medios para interactuar entre la aplicación externa y el servidor, y  - means to interact between the external application and the server, and
- medios de notificación del resultado de la ejecución de la aplicación externa.  - means of notification of the result of the execution of the external application.
PCT/ES2009/000453 2009-09-15 2009-09-15 Method and device for advanced identification of users via a fingerprint and pin WO2011033137A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/ES2009/000453 WO2011033137A1 (en) 2009-09-15 2009-09-15 Method and device for advanced identification of users via a fingerprint and pin

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/ES2009/000453 WO2011033137A1 (en) 2009-09-15 2009-09-15 Method and device for advanced identification of users via a fingerprint and pin

Publications (1)

Publication Number Publication Date
WO2011033137A1 true WO2011033137A1 (en) 2011-03-24

Family

ID=43758134

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/ES2009/000453 WO2011033137A1 (en) 2009-09-15 2009-09-15 Method and device for advanced identification of users via a fingerprint and pin

Country Status (1)

Country Link
WO (1) WO2011033137A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998009227A1 (en) * 1996-08-29 1998-03-05 Smarttouch Tokenless biometric transaction authorization method and system
US20070094715A1 (en) * 2005-10-20 2007-04-26 Microsoft Corporation Two-factor authentication using a remote control device
JP2007193718A (en) * 2006-01-23 2007-08-02 Matsushita Electric Ind Co Ltd Information processing apparatus and personal authentication method
US20080126261A1 (en) * 2006-11-25 2008-05-29 Robert Lovett Cashless vending system and method
CN101436935A (en) * 2008-12-10 2009-05-20 华中科技大学 PIN code verification method through fingerprint identification

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998009227A1 (en) * 1996-08-29 1998-03-05 Smarttouch Tokenless biometric transaction authorization method and system
US20070094715A1 (en) * 2005-10-20 2007-04-26 Microsoft Corporation Two-factor authentication using a remote control device
JP2007193718A (en) * 2006-01-23 2007-08-02 Matsushita Electric Ind Co Ltd Information processing apparatus and personal authentication method
US20080126261A1 (en) * 2006-11-25 2008-05-29 Robert Lovett Cashless vending system and method
CN101436935A (en) * 2008-12-10 2009-05-20 华中科技大学 PIN code verification method through fingerprint identification

Similar Documents

Publication Publication Date Title
US9674705B2 (en) Method and system for secure peer-to-peer mobile communications
ES2498893T3 (en) Autonomous secure PIN entry device to enable EMV card transactions with separate card reader
US9124433B2 (en) Remote authentication and transaction signatures
ES2554686T3 (en) Device, system and method for registering and authenticating handwritten signatures and archiving handwritten information
EP3382587B1 (en) Identity authentication using a barcode
CN104126292A (en) Strong authentication token with visual output of pki signatures
WO2006016000A1 (en) Method of making secure payment or collection transactions using programmable mobile telephones
US20100131414A1 (en) Personal identification device for secure transactions
US20210272098A1 (en) Method and system to create a trusted record or message and usage for a secure activation or strong customer authentication
CN101334915A (en) Biometric authentication apparatus, terminal device and automatic transaction machine
KR20060132763A (en) Authentication system by using bar-code which otp-code added, and its method
EP2071530A1 (en) Authentication device and payment system
JP2010287250A (en) Authentication system for cashless payment
EP2365477A1 (en) Personal identification device for secure transactions
EP1480107A2 (en) Method for authentication of a user with an authorizing device, and a security apparatus for carrying out the method
WO2011033137A1 (en) Method and device for advanced identification of users via a fingerprint and pin
EP2795523A1 (en) An authentication system and method
ES2346607B1 (en) KEYBANKING
BR102021018459A2 (en) All-in-one data validation device and data validation method
WO2022061437A1 (en) Multifunctional data validation device and data validation method
EA041505B1 (en) METHOD FOR CONFIRMING THE AUTHENTICITY OF USER DATA AND THE SYSTEM IMPLEMENTING IT

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09849395

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 06/07/2012)

122 Ep: pct application non-entry in european phase

Ref document number: 09849395

Country of ref document: EP

Kind code of ref document: A1