WO2023022584A1 - System and method for decentralising digital identification - Google Patents

System and method for decentralising digital identification Download PDF

Info

Publication number
WO2023022584A1
WO2023022584A1 PCT/MY2021/050117 MY2021050117W WO2023022584A1 WO 2023022584 A1 WO2023022584 A1 WO 2023022584A1 MY 2021050117 W MY2021050117 W MY 2021050117W WO 2023022584 A1 WO2023022584 A1 WO 2023022584A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
digital identification
relying party
digital
mobile device
Prior art date
Application number
PCT/MY2021/050117
Other languages
French (fr)
Inventor
Mohd. Faizul YA'KUB
Kam Siew PHANG
Jia Giin TAN
Yung Sing LEW
Original Assignee
Iris Corporation Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Iris Corporation Berhad filed Critical Iris Corporation Berhad
Publication of WO2023022584A1 publication Critical patent/WO2023022584A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints

Definitions

  • the present disclosure relates, in general, to decentralising digital identification, and more specifically, relates to generating a digital identification of a user and activating this to create a decentralised digitally verifiable credential that can be used by relying parties, the decentralised digitally verifiable credential is a unique multi-factor cryptographic and biometric authenticator that is “NIST Authentication Assurance Level 3 (AAL3) Compliant” and “Claimant Impersonation Resistant”.
  • AAL3 NIST Authentication Assurance Level 3
  • Digital identity is the unique representation of a subject engaged in an online transaction. Identity proofing establishes that a subject is who they claim to be. Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject’s digital identity.
  • a multi-factor cryptographic device authenticators use tamper-resistant hardware to encapsulate one or more secret keys unique to the authenticator and accessible only through the input of an additional factor, either a memorized secret or a biometric.
  • the authenticator operates by using a private key that was unlocked by the additional factor to sign a challenge nonce presented through a direct computer interface, for instance a USB port.
  • the authenticator could be a suitably secure processor integrated with the user endpoint.
  • cryptographic devices contain software, they differ from cryptographic software authenticators in that all embedded software is under control of the issuer, and that the entire authenticator is subject to any applicable FIPS 140 requirements at the selected AAL.
  • AAL3 Authenticators may still be vulnerable to “Claimant Impersonation” whereby an impersonator can prey on the disadvantaged group of people in the society to obtain and use their “Authenticator” online illegally. For instance, by gaining possession of the “Single-factor cryptographic device and memorized password”, the impersonator can easily pretend to be the actual Authenticator owners and conduct transactions illegally online.
  • an impersonator may induce or force a person to enrol and acquire a digital identification using the impersonator’ s mobile phone. As the mobile phone belongs to the impersonator, any device level biometric verification will not prevent the impersonation.
  • the present disclosure relates, in general, to decentralising digital identification, and more specifically, relates to generating a digital identification of a user and activating this to create a decentralised digitally verifiable credential that can be used by relying parties, the decentralised digitally verifiable credential is a unique multi-factor cryptographic and biometric authenticator that is “NIST Authentication Assurance Level 3 (AAL3) Compliant” and “Claimant Impersonation Resistant”.
  • AAL3 NIST Authentication Assurance Level 3
  • the present disclosure provides a method for decentralising digital identification, the method comprising proofing identification of a user to generate a digital identification on the user’s mobile device, activating the digital identification of the user to create a decentralised digitally verifiable credential and authenticating the digital identification of the user by relying parties.
  • proofing identification of the user to generate the digital identification on the user’s mobile device further comprises verifying authenticity of the physical identification using one-to-one fingerprint verification by the issuing authority; and generating a PKI certificate on the user’s mobile device.
  • proofing identification of the user to generate the digital identification on the user’s mobile device further comprises verifying authenticity of the passport using one-to- one facial recognition with liveness detection by the issuing authority; and generating a PKI certificate on the user’s mobile device.
  • activating the digital identification of the user to create a decentralised digitally verifiable credential further comprises creating, based on the PKI certificate, a PKI password for the user which will be used to generate digital signatures and to secure the digital identification stored in the mobile device; and storing the PKI Certificate and the digital identification data in accordance to a standard format on the mobile device of the user.
  • authenticating the digital identification of the user by relying parties comprises authenticating the digital identification of the user by relying parties; or authenticating the digital identification of the user for the purpose of transaction authorization, by relying parties to engage in digital transaction; or authenticating the digital identification of the user for the process of e-KYC of by relying parties in the event the user is new; or authenticating the digital identification of the user for the purpose of data acquisition.
  • authenticating the digital identification of the user by relying parties comprises the relying parties either installed with individual decentralised verifiers to have all identity validated when performing any transactions.
  • authenticating the digital identification of the user by relying parties comprises the relying parties use a centralized verifier to have all identity validated when performing any transactions.
  • the present disclosure provides a system for decentralising digital identification, the system method comprising a mobile device with a secure storage; a unique multifactor cryptographic and biometric authenticator installed on the mobile device; and a certified verifier; wherein the system is capable of proofing identification of a user to generate a digital identification on the user’s mobile device, activating the digital identification of the user to create a decentralised digitally verifiable credential and authenticating the digital identification of the user by relying parties.
  • FIGs. 1A, IB & 1C illustrates a flowchart of the method for proofing identification of a user to generate a digital identification on the user’s mobile device.
  • FIGs. 2A, 2B, 2C & 2D illustrates a flowchart of the method for activating the digital identification of the user to create a decentralised digitally verifiable credential.
  • FIG. 3 illustrates a flowchart of the method for authenticating the digital identification of the user by relying parties.
  • FIG. 4 illustrates a flowchart of the method for facial recognition.
  • FIG. 5 illustrates a flowchart of the method for facial recognition and eKYC Authentication.
  • FIG. 6 illustrates a flowchart of the iForm application with digital signature.
  • FIG. 7 illustrates the appropriate Authentication Assurance Level (AAL) to be implemented by relying parties for their online services based on the potential impact of security violation.
  • AAL Authentication Assurance Level
  • FIG. 8 illustrates a block diagram of the method and system of the decentralising digital identification.
  • FIG. 9A illustrates a block diagram of the authenticating the decentralised digitally verifiable credential user, where the relying parties have individual decentralised verifiers installed.
  • FIG. 9B illustrates a block diagram of the authenticating the decentralised digitally verifiable credential user, where the relying parties use a centralized verifier.
  • the present disclosure relates, in general, to decentralising digital identification, and more specifically, relates to generating a digital identification of a user and activating this to create a decentralised digitally verifiable credential that can be used by relying parties.
  • FIG. 8 illustrates a block diagram of the method and system of the decentralising digital identification.
  • the decentralised digitally verifiable credential is a unique multi-factor cryptographic and biometric authenticator that is “NIST Authentication Assurance Level 3 (AAL3) Compliant” and “Claimant Impersonation Resistant”.
  • the present disclosure provides a system and method for decentralising digital identification.
  • the system according to the disclosure comprises a mobile device with a secure storage, a unique multifactor cryptographic and biometric authenticator installed on the mobile device and a certified verifier.
  • the method according to the disclosure is capable of proofing identification of a user to generate a digital identification on the user’s mobile device, activating the digital identification of the user to create a decentralised digitally verifiable credential and authenticating the digital identification of the user by relying parties.
  • FIG. 7 illustrates the appropriate Authentication Assurance Level (AAL) to be implemented by relying parties for their online services based on the potential impact of security violation.
  • AAL3 Authentication Assurance Level 3
  • the decentralised digitally verifiable credential according to the present invention is a unique multi-factor cryptographic and biometric authenticator that is “NIST Authentication Assurance Level 3 (AAL3) Compliant” and “Claimant Impersonation Resistant”.
  • the system according to the disclosure comprises a mobile device with a secure storage, a unique multifactor cryptographic and biometric authenticator installed on the mobile device and a certified verifier.
  • the mobile device is, but not limited to, a tamperresistant smart mobile phone with a secure storage, the mobile phone is installed with an app dedicated for a single user account.
  • FIGs. 1A, IB & 1C illustrates a flowchart of the method for proofing identification of a user to generate a digital identification on the user’s mobile device. This is also referred to as the onboarding process which begins at a physical kiosk. If the user holds a national ID, proofing identification of the user further comprises verifying identity of the user using one-to-one fingerprint verification by the issuing authority and generating a PKI certificate on the user’s mobile device. If the user holds an NFC-enabled mobile device and an passport, proofing identification of the user further comprises verifying authenticity of the passport using one-to-one facial recognition with liveness detection by the issuing authority and generating a PKI certificate on the user’s mobile device.
  • the mobile device has the capability to revoke the PKI Certificate in the event of a claimant impersonation attack.
  • the national ID is inserted into the card reader or the machine reader able zone (MRZ) of the passport is scanned (102) in order to obtain user information (104). This information is then verified using one-to-one fingerprint verification (106). If this verification is unsuccessful, a message is displayed on the kiosk (120). In the event this verification is successful, deduplication is checked at the PKI Certification Authority (CA) (108). Upon identifying that there has been no deduplication, the national ID (110) or passport (112) is validated to verify the identity of the user.
  • MMRZ machine reader able zone
  • CA PKI Certification Authority
  • biographical data stored as cache (114) is used to generate a time based QR code (116) which is then displayed at the kiosk (118).
  • the user mobile is installed with an ID4L app and this is used to scan the QR code (122) which is then verified (126) after clearing the cache data (124).
  • cache data is retrieved (128) and displayed (130) on the ID4L app for the user to input a phone number (132). This is used to generate a OTP (134) which is forwarded to the user mobile device (136).
  • the OTP is received as an SMS (138) and keyed into the ID4L app (140).
  • the OTP is verified (142) and if verification fails after more than 3 trials, a message is displayed on the ID4L app (148). If verification fails and is still within 3 trials, a new OTP is requested (144). If the OTP is not expired, a status (146) is displayed on the ID4L app and an ID4L credential Private Key is generated (150). This is followed by the generation of an ID4L credential Private Key Certificate Signing Request (CSR) (152) and a request to store the ID4L credential PKI certificate (154). The ID4L credential Private Key password is then generated (156) and the ID4L credential PKI certificate (158) is stored. The ID4L credential PKI certificate is displayed (160) on the user’s mobile device.
  • CSR ID4L credential Private Key Certificate Signing Request
  • the app on the users mobile Upon successful ID Proofing, the app on the users mobile would be activated with valid PKI Certificate, passport Digital Travel Credential (DTC) and/or National ID (MyKad) Virtual Card (VC) (162). A message is then displayed on the ID4L app (164).
  • DTC passport Digital Travel Credential
  • MyKad National ID Virtual Card
  • the decentralised digitally verifiable credential comprises 3 factors (HAK) of authentication - something you Have, something you Know and something you Are:
  • FIGs. 2A, 2B, 2C & 2D illustrates a flowchart of the method for activating the digital identification of the user to create a decentralised digitally verifiable credential.
  • FIG. 9A illustrates a block diagram of the authenticating the decentralised digitally verifiable credential user, where the relying parties have individual decentralised verifiers installed.
  • FIG. 9B illustrates a block diagram of the authenticating the decentralised digitally verifiable credential user, where the relying parties use a centralized verifier.
  • Activating the digital identification of the user to create a decentralised digitally verifiable credential further comprises creating, based on the PKI certificate, a PKI password for instance, using pre-existing software such as Mi-Signet.
  • This PKI password will be used by the user to generate digital signatures and to secure the national ID VC or the passport DTC stored in the mobile device.
  • the PKI Certificate and the DTC/VC data is stored in accordance to ICAO standard format on the mobile device of the user.
  • the relying parties for instance Banks, Government Agencies and other commercial entities, either have individual decentralised verifiers installed or use a centralized verifier, to have all identity validated when performing any transactions.
  • a relying party can prevent claimant impersonation by including facial recognition with photo from DTC/VC as part of its user authentication, transaction authorization and eKYC processes.
  • FIGs. 2A, 2B, 2C & 2D Activating the digital identification of the user to create a decentralised digitally verifiable credential begins at the kiosk where in the data from the national ID or the machine reader able zone (MRZ) of the passport is extracted (202).
  • a random secret key is generated (204) and encrypted (206) using a secure encryption method, for instance AES-256 encryption.
  • This encrypted data is stored (208) at the QR Code Services and a Reference ID is generated (214) and sent to the kiosk (212).
  • a QR Code is generated based on the random secret key and Reference ID (216).
  • This QR Code is scanned (222) by the ID4L app and if the QR Code is not expired, the random secret key and Reference ID is retrieved (228) and sent (230) to the QR Code Services for validation (226) of the Reference ID.
  • the Reference ID is cleared (218, 232) from the cache of the QR Code Services and ID4L app.
  • the encrypted data is retrieved and sent (236) to the ID4L app for decryption (238).
  • the encrypted data (242) and random secret key (240) are then cleared from the QR Code Services and ID4L app respectively.
  • the national ID VC (244) is constructed and the ID4L credential Private Key password is entered (246) before generating the digitally signed national ID VC or passport DTC (248).
  • the ID4L credential Private Key password is entered (250) once again in order to digitally sign the user’s photo (252).
  • a session key is generated (254) at the PKI Certification Authority (CA) and the Diffie-Hellman Key Exchange is used (256) to encrypt (258) and decrypt (260) the national ID VC using the session key.
  • CA PKI Certification Authority
  • the ID4L credential Private Key is then retrieved (262) to validate the national ID VC (264) before digitally signing it (268) and encrypting it using the session key (270). This is then decrypted at the ID4L app (272) and a “live” image is captured (274) for users with either national ID VC or passport DTC. This “live” image and the user’ s photo are sent (276) for one-to-one verification (278). Upon successful verification, the PKI Certificate and the DTC/VC data is stored in accordance to ICAO standard format on the mobile device of the user (280).
  • FIG. 3 illustrates a flowchart of the method for authenticating the digital identification of the user by relying parties.
  • authenticating the digital identification of the user by relying parties is for the purpose of determining the user identity. This begins with the relying party creating an intent (302) of the digital identification.
  • the ID4L app on the mobile device verifies this request (304) and prompts the user for a PKI password (306) which is then used to generate a key to sign a challenge nonce digitally (308).
  • the signed nonce and certificate is forwarded to the ID4L verifier (310).
  • FIG. 4 illustrates a flowchart of the method for facial recognition.
  • authenticating the digital identification of the user is for the purpose of transaction authorization, by relying parties to engage in digital transaction. This begins with the relying party creating an intent of the digital identification (402). This prompts the mobile device of the user to scan a "live" biometric photo information (404) of the user and send a digitally signed photo from the DTC/VC, along with the PKI certificate to the relying party to perform verification (410).
  • the liveliness of the biometric photo is checked at the ID4L app (408) as well as by the facial recognition services (406).
  • the ID4L verifier validates the PKI certificate (412) which is also checked at the PKI Certification Authority (CA) (414).
  • the ID4L verifier then validates the integrity of the DTC/VC photo data within data groups 1 to 16 against the PKI certificate (416), and then compares it against the user photo that has been passed liveness detection (418) to confirm user identity and to prevent claimant impersonation attacks. Responsive to successful verification, the ID4L app on the mobile device forwards this status (420) to the relying party and digital transactions (422) not limited to initiating online banking services can be performed.
  • FIG. 5 illustrates a flowchart of the method for facial recognition and eKYC Authentication.
  • authenticating the digital identification of the user is for the process of e-KYC of by relying parties in the event the user is new. This begins with the relying party creating an intent (502) of the digital identification. This prompts the mobile device of the user to scan a "live" biometric photo information (504) of the user. The liveliness of the biometric photo is checked at the ID4L app (508) as well as by the facial recognition services (506). The digitally signed photo from the DTC/VC along with the PKI certificate is sent to the relying party to perform verification (510).
  • the ID4L verifier validates the PKI certificate (512) which is also checked at the PKI Certification Authority (CA) (514). The ID4L verifier then validates the integrity of the DTC/VC photo data within data groups 1 to 16 against the PKI certificate (516), and then compares it against the user photo that has been passed liveness detection (518) to confirm user identity and to prevent claimant impersonation attacks. Responsive to successful verification, the ID4L app on the mobile device forwards this status (520) to the relying party. The relying party then sends a request for PKI signing (522) to the ID4L app to perform verification (524).
  • CA PKI Certification Authority
  • the ID4L verifier validates the PKI certificate (530) which is also checked at the PKI Certification Authority (CA) (532). Responsive to successful verification, the ID4L verifier, verifies the signed data (534) and the relying party executes digital transactions (536), such as but not limited to opening a new bank account.
  • CA PKI Certification Authority
  • FIG. 6 illustrates a flowchart of the iForm application with digital signature.
  • authenticating the digital identification of the user is for the purpose of data acquisition. This begins with the user invoking an “Application Form” (602) in the relying party's app on the users mobile device, creating an intent to populate verifiable personal data in the Application Form (604).
  • the iForm Services generates a security code (606) followed by a QR Code (608) to be sent to the relying party’s app.
  • This QR code is then displayed on the screen (609) to be scanned by the ID4L Services app (610) after which additional QR code data is generated (612) and stored (616).
  • the additional QR code data along with a session token, Form ID and response URL from the relying party’s app is sent to the iForm Services to be verified (614).
  • the session token is verified, the Form ID and the response URL is validated (618) in order to proceed with obtaining and forwarding (620) an iForm template to the ID4L Services app (622).
  • the ID4L Services APP then prompts the user to scan a “live” biometric photo information of the user (628) and send a digitally signed photo from DTC/VC, along with the PKI certificate to the relying party to perform verification.
  • the relying party validates (630, 632) the integrity of the DTC/VC photo data using PKI certificate and then compare it against the user photo that has passed liveness detection to confirm user identity and to prevent claimant impersonation attacks. If the Facial Verification is successful, the relying party’s App can further request the user to enter PKI password (634) to digitally sign (636) the completed iForm. Before final submission, the iForm is encrypted by the ID4L Services app with a security code (638) which is then decrypted at the relying party’s app (640) and verified (642) before being sent to the relying party’s app for final submission (644). The ID4L Services app saves the transaction details (646) and displays a message (648) on the user’s mobile device.
  • the integrity of the DTC/VC data including the biometric information, for instance finger print or photo, is safeguarded by the digital signatures of the Document Issuer and decentralised digitally verifiable credential user.
  • the relying party can validate the data integrity by checking the Hash of data groups 1 to 16 (DG1 - DG16) before proceeding to the subsequent steps to use the DTC/VC for (a) Biometric verification with fingerprint and facial data and (a) completion of service application form with other data such as name, date of birth, email address, phone number, etc.

Abstract

The present disclosure relates, in general, to decentralising digital identification, and more specifically, relates to generating a digital identification of a user and activating this to create a decentralised digitally verifiable credential that can be used by relying parties, the decentralised digitally verifiable credential is a unique multi-factor cryptographic and biometric authenticator that is "NIST Authentication Assurance Level 3 (AAL3) Compliant" and "Claimant Impersonation Resistant".

Description

SYSTEM AND METHOD FOR DECENTRALISING DIGITAL IDENTIFICATION
TECHNICAL FIELD
[0001] The present disclosure relates, in general, to decentralising digital identification, and more specifically, relates to generating a digital identification of a user and activating this to create a decentralised digitally verifiable credential that can be used by relying parties, the decentralised digitally verifiable credential is a unique multi-factor cryptographic and biometric authenticator that is “NIST Authentication Assurance Level 3 (AAL3) Compliant” and “Claimant Impersonation Resistant”.
BACKGROUND
[0002] Digital identity is the unique representation of a subject engaged in an online transaction. Identity proofing establishes that a subject is who they claim to be. Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject’s digital identity.
[0003] For services in which return visits are applicable, successful authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as that which accessed the service previously. Digital identity presents a technical challenge because this process often involves proofing individuals over an open network, and always involves the authentication of individual subjects over an open network to access digital online services. [0004] According to NIST’s definition, a multi-factor cryptographic device authenticators use tamper-resistant hardware to encapsulate one or more secret keys unique to the authenticator and accessible only through the input of an additional factor, either a memorized secret or a biometric. The authenticator operates by using a private key that was unlocked by the additional factor to sign a challenge nonce presented through a direct computer interface, for instance a USB port. Alternatively, the authenticator could be a suitably secure processor integrated with the user endpoint. Although cryptographic devices contain software, they differ from cryptographic software authenticators in that all embedded software is under control of the issuer, and that the entire authenticator is subject to any applicable FIPS 140 requirements at the selected AAL.
[0005] Most AAL3 Authenticators may still be vulnerable to “Claimant Impersonation” whereby an impersonator can prey on the disadvantaged group of people in the society to obtain and use their “Authenticator” online illegally. For instance, by gaining possession of the “Single-factor cryptographic device and memorized password”, the impersonator can easily pretend to be the actual Authenticator owners and conduct transactions illegally online. In the case of digital identification, an impersonator may induce or force a person to enrol and acquire a digital identification using the impersonator’ s mobile phone. As the mobile phone belongs to the impersonator, any device level biometric verification will not prevent the impersonation. By inducing/forcing the victim to disclose all the necessary PKI password, the impersonator would then be able to conduct unlawful transactions online using the digital identification of the victim. [0006] There is therefore a need in the art to provide a system and method to establish highly secured digital identities solution that can mitigate various online security risks and prevent impersonation and other forms of attacks.
SUMMARY
[0007] The present disclosure relates, in general, to decentralising digital identification, and more specifically, relates to generating a digital identification of a user and activating this to create a decentralised digitally verifiable credential that can be used by relying parties, the decentralised digitally verifiable credential is a unique multi-factor cryptographic and biometric authenticator that is “NIST Authentication Assurance Level 3 (AAL3) Compliant” and “Claimant Impersonation Resistant”.
[0008] In an aspect, the present disclosure provides a method for decentralising digital identification, the method comprising proofing identification of a user to generate a digital identification on the user’s mobile device, activating the digital identification of the user to create a decentralised digitally verifiable credential and authenticating the digital identification of the user by relying parties.
[0009] In an embodiment where the user holds a physical identification, proofing identification of the user to generate the digital identification on the user’s mobile device further comprises verifying authenticity of the physical identification using one-to-one fingerprint verification by the issuing authority; and generating a PKI certificate on the user’s mobile device. [0010] In another embodiment where the user holds an NFC-enabled mobile device and passport, proofing identification of the user to generate the digital identification on the user’s mobile device further comprises verifying authenticity of the passport using one-to- one facial recognition with liveness detection by the issuing authority; and generating a PKI certificate on the user’s mobile device.
[0011] In another embodiment, activating the digital identification of the user to create a decentralised digitally verifiable credential further comprises creating, based on the PKI certificate, a PKI password for the user which will be used to generate digital signatures and to secure the digital identification stored in the mobile device; and storing the PKI Certificate and the digital identification data in accordance to a standard format on the mobile device of the user.
[0012] In another embodiment, authenticating the digital identification of the user by relying parties comprises authenticating the digital identification of the user by relying parties; or authenticating the digital identification of the user for the purpose of transaction authorization, by relying parties to engage in digital transaction; or authenticating the digital identification of the user for the process of e-KYC of by relying parties in the event the user is new; or authenticating the digital identification of the user for the purpose of data acquisition.
[0013] In yet another embodiment, authenticating the digital identification of the user by relying parties comprises the relying parties either installed with individual decentralised verifiers to have all identity validated when performing any transactions. [0014] In yet another embodiment, authenticating the digital identification of the user by relying parties comprises the relying parties use a centralized verifier to have all identity validated when performing any transactions.
[0015] In another aspect, the present disclosure provides a system for decentralising digital identification, the system method comprising a mobile device with a secure storage; a unique multifactor cryptographic and biometric authenticator installed on the mobile device; and a certified verifier; wherein the system is capable of proofing identification of a user to generate a digital identification on the user’s mobile device, activating the digital identification of the user to create a decentralised digitally verifiable credential and authenticating the digital identification of the user by relying parties.
[0016] Various objects, features, aspects, and advantages of the inventive subject matter will become more apparent from the following detailed description of preferred embodiments, along with the accompanying drawing figures in which like numerals represent like components.
BRIEF DESCRIPTION OF THE DRAWINGS
[0017] The following drawings form part of the present specification and are included to further illustrate aspects of the present disclosure. The disclosure may be better understood by reference to the drawings in combination with the detailed description of the specific embodiments presented herein. [0018] FIGs. 1A, IB & 1C illustrates a flowchart of the method for proofing identification of a user to generate a digital identification on the user’s mobile device.
[0019] FIGs. 2A, 2B, 2C & 2D illustrates a flowchart of the method for activating the digital identification of the user to create a decentralised digitally verifiable credential.
[0020] FIG. 3 illustrates a flowchart of the method for authenticating the digital identification of the user by relying parties.
[0021] FIG. 4 illustrates a flowchart of the method for facial recognition.
[0022] FIG. 5 illustrates a flowchart of the method for facial recognition and eKYC Authentication.
[0023] FIG. 6 illustrates a flowchart of the iForm application with digital signature.
[0024] FIG. 7 illustrates the appropriate Authentication Assurance Level (AAL) to be implemented by relying parties for their online services based on the potential impact of security violation.
[0025] FIG. 8 illustrates a block diagram of the method and system of the decentralising digital identification. [0026] FIG. 9A illustrates a block diagram of the authenticating the decentralised digitally verifiable credential user, where the relying parties have individual decentralised verifiers installed.
[0027] FIG. 9B illustrates a block diagram of the authenticating the decentralised digitally verifiable credential user, where the relying parties use a centralized verifier.
DETAILED DESCRIPTION
[0028] The following is a detailed description of embodiments of the disclosure depicted in the accompanying drawings. The embodiments are in such detail as to clearly communicate the disclosure. If the specification states a component or feature “may”, “can”, “could”, or “might” be included or have a characteristic, that particular component or feature is not required to be included or have the characteristic.
[0029] As used in the description herein and throughout the claims that follow, the meaning of “a,” “an,” and “the” includes plural reference unless the context clearly dictates otherwise. Also, as used in the description herein, the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.
[0030] The present disclosure relates, in general, to decentralising digital identification, and more specifically, relates to generating a digital identification of a user and activating this to create a decentralised digitally verifiable credential that can be used by relying parties. Reference is being made to FIG. 8. FIG. 8 illustrates a block diagram of the method and system of the decentralising digital identification. The decentralised digitally verifiable credential is a unique multi-factor cryptographic and biometric authenticator that is “NIST Authentication Assurance Level 3 (AAL3) Compliant” and “Claimant Impersonation Resistant”.
[0031] The present disclosure may be described in enabling detail in the following examples, which may represent more than one embodiment of the present disclosure.
[0032] In an embodiment, the present disclosure provides a system and method for decentralising digital identification. Further, the system according to the disclosure comprises a mobile device with a secure storage, a unique multifactor cryptographic and biometric authenticator installed on the mobile device and a certified verifier. The method according to the disclosure is capable of proofing identification of a user to generate a digital identification on the user’s mobile device, activating the digital identification of the user to create a decentralised digitally verifiable credential and authenticating the digital identification of the user by relying parties.
[0033] It is in the interest of the relying parties to determine the appropriate Authentication Assurance Level (AAL) to be implemented for online services based on the potential impact of security violation as outlined in FIG. 7. FIG. 7 illustrates the appropriate Authentication Assurance Level (AAL) to be implemented by relying parties for their online services based on the potential impact of security violation. For instance, if the financial or personal safety impact of a security breach is “High”, the relying party must ensure that the subscribers are authenticated at AAL3 before they are allowed to access the subscribed services. According to NIST Digital Identity Guideline, Authentication Assurance Level 3 (AAL3) provides very high confidence that the claimant controls authenticator bound to the user’s account. The four basic requirements for AAL3 authenticator are hardware-based, with cryptographic protocol, verifier impersonation resistant and supports multi-factor authentication.
[0034] The decentralised digitally verifiable credential according to the present invention is a unique multi-factor cryptographic and biometric authenticator that is “NIST Authentication Assurance Level 3 (AAL3) Compliant” and “Claimant Impersonation Resistant”. The system according to the disclosure comprises a mobile device with a secure storage, a unique multifactor cryptographic and biometric authenticator installed on the mobile device and a certified verifier. The mobile device is, but not limited to, a tamperresistant smart mobile phone with a secure storage, the mobile phone is installed with an app dedicated for a single user account.
[0035] FIGs. 1A, IB & 1C illustrates a flowchart of the method for proofing identification of a user to generate a digital identification on the user’s mobile device. This is also referred to as the onboarding process which begins at a physical kiosk. If the user holds a national ID, proofing identification of the user further comprises verifying identity of the user using one-to-one fingerprint verification by the issuing authority and generating a PKI certificate on the user’s mobile device. If the user holds an NFC-enabled mobile device and an passport, proofing identification of the user further comprises verifying authenticity of the passport using one-to-one facial recognition with liveness detection by the issuing authority and generating a PKI certificate on the user’s mobile device. The mobile device has the capability to revoke the PKI Certificate in the event of a claimant impersonation attack. [0036] Reference is being made to FIGs. 1 A, IB & 1C collectively. At the kiosk, the national ID is inserted into the card reader or the machine reader able zone (MRZ) of the passport is scanned (102) in order to obtain user information (104). This information is then verified using one-to-one fingerprint verification (106). If this verification is unsuccessful, a message is displayed on the kiosk (120). In the event this verification is successful, deduplication is checked at the PKI Certification Authority (CA) (108). Upon identifying that there has been no deduplication, the national ID (110) or passport (112) is validated to verify the identity of the user. Upon successful validation, biographical data stored as cache (114) is used to generate a time based QR code (116) which is then displayed at the kiosk (118). The user mobile is installed with an ID4L app and this is used to scan the QR code (122) which is then verified (126) after clearing the cache data (124). Upon successful verification of the QR code, cache data is retrieved (128) and displayed (130) on the ID4L app for the user to input a phone number (132). This is used to generate a OTP (134) which is forwarded to the user mobile device (136). The OTP is received as an SMS (138) and keyed into the ID4L app (140). The OTP is verified (142) and if verification fails after more than 3 trials, a message is displayed on the ID4L app (148). If verification fails and is still within 3 trials, a new OTP is requested (144). If the OTP is not expired, a status (146) is displayed on the ID4L app and an ID4L credential Private Key is generated (150). This is followed by the generation of an ID4L credential Private Key Certificate Signing Request (CSR) (152) and a request to store the ID4L credential PKI certificate (154). The ID4L credential Private Key password is then generated (156) and the ID4L credential PKI certificate (158) is stored. The ID4L credential PKI certificate is displayed (160) on the user’s mobile device. Upon successful ID Proofing, the app on the users mobile would be activated with valid PKI Certificate, passport Digital Travel Credential (DTC) and/or National ID (MyKad) Virtual Card (VC) (162). A message is then displayed on the ID4L app (164).
[0037] The decentralised digitally verifiable credential comprises 3 factors (HAK) of authentication - something you Have, something you Know and something you Are:
• Something you Have o Mobile Phone o ID4L Credential Account with
■ PKI Certificate
■ National ID VC
■ Passport DTC
• Something you Know o PKI Password to generate/access Private Key
• Something you Are o Facial Photo in National ID and Passport for biometric facial verification o Fingerprint in National ID and Passport for biometric fingerprint verification
[0038] FIGs. 2A, 2B, 2C & 2D illustrates a flowchart of the method for activating the digital identification of the user to create a decentralised digitally verifiable credential. FIG. 9A illustrates a block diagram of the authenticating the decentralised digitally verifiable credential user, where the relying parties have individual decentralised verifiers installed. FIG. 9B illustrates a block diagram of the authenticating the decentralised digitally verifiable credential user, where the relying parties use a centralized verifier. Activating the digital identification of the user to create a decentralised digitally verifiable credential further comprises creating, based on the PKI certificate, a PKI password for instance, using pre-existing software such as Mi-Signet. This PKI password will be used by the user to generate digital signatures and to secure the national ID VC or the passport DTC stored in the mobile device. Finally the PKI Certificate and the DTC/VC data is stored in accordance to ICAO standard format on the mobile device of the user. In order to authenticate decentralised digitally verifiable credential user, the relying parties, for instance Banks, Government Agencies and other commercial entities, either have individual decentralised verifiers installed or use a centralized verifier, to have all identity validated when performing any transactions. A relying party can prevent claimant impersonation by including facial recognition with photo from DTC/VC as part of its user authentication, transaction authorization and eKYC processes.
[0039] Reference is being made to FIGs. 2A, 2B, 2C & 2D collectively. Activating the digital identification of the user to create a decentralised digitally verifiable credential begins at the kiosk where in the data from the national ID or the machine reader able zone (MRZ) of the passport is extracted (202). A random secret key is generated (204) and encrypted (206) using a secure encryption method, for instance AES-256 encryption. This encrypted data is stored (208) at the QR Code Services and a Reference ID is generated (214) and sent to the kiosk (212). At the kiosk, a QR Code is generated based on the random secret key and Reference ID (216). This QR Code is scanned (222) by the ID4L app and if the QR Code is not expired, the random secret key and Reference ID is retrieved (228) and sent (230) to the QR Code Services for validation (226) of the Reference ID. The Reference ID is cleared (218, 232) from the cache of the QR Code Services and ID4L app. Upon successful validation of the Reference ID, the encrypted data is retrieved and sent (236) to the ID4L app for decryption (238). The encrypted data (242) and random secret key (240) are then cleared from the QR Code Services and ID4L app respectively. Upon successful decryption, the national ID VC (244) is constructed and the ID4L credential Private Key password is entered (246) before generating the digitally signed national ID VC or passport DTC (248). The ID4L credential Private Key password is entered (250) once again in order to digitally sign the user’s photo (252). If the user has a national ID, a session key is generated (254) at the PKI Certification Authority (CA) and the Diffie-Hellman Key Exchange is used (256) to encrypt (258) and decrypt (260) the national ID VC using the session key. The ID4L credential Private Key is then retrieved (262) to validate the national ID VC (264) before digitally signing it (268) and encrypting it using the session key (270). This is then decrypted at the ID4L app (272) and a “live” image is captured (274) for users with either national ID VC or passport DTC. This “live” image and the user’ s photo are sent (276) for one-to-one verification (278). Upon successful verification, the PKI Certificate and the DTC/VC data is stored in accordance to ICAO standard format on the mobile device of the user (280).
[0040] FIG. 3 illustrates a flowchart of the method for authenticating the digital identification of the user by relying parties. In an exemplary embodiment, authenticating the digital identification of the user by relying parties is for the purpose of determining the user identity. This begins with the relying party creating an intent (302) of the digital identification. The ID4L app on the mobile device verifies this request (304) and prompts the user for a PKI password (306) which is then used to generate a key to sign a challenge nonce digitally (308). The signed nonce and certificate is forwarded to the ID4L verifier (310). The digitally signed challenge nonce is then validated (312) by the relying party and checked at the PKI Certification Authority (CA) (314) to confirm the identity of the user (316) before executing appropriate transactions (318). [0041] FIG. 4 illustrates a flowchart of the method for facial recognition. In an exemplary embodiment, authenticating the digital identification of the user is for the purpose of transaction authorization, by relying parties to engage in digital transaction. This begins with the relying party creating an intent of the digital identification (402). This prompts the mobile device of the user to scan a "live" biometric photo information (404) of the user and send a digitally signed photo from the DTC/VC, along with the PKI certificate to the relying party to perform verification (410). The liveliness of the biometric photo is checked at the ID4L app (408) as well as by the facial recognition services (406). The ID4L verifier validates the PKI certificate (412) which is also checked at the PKI Certification Authority (CA) (414). The ID4L verifier then validates the integrity of the DTC/VC photo data within data groups 1 to 16 against the PKI certificate (416), and then compares it against the user photo that has been passed liveness detection (418) to confirm user identity and to prevent claimant impersonation attacks. Responsive to successful verification, the ID4L app on the mobile device forwards this status (420) to the relying party and digital transactions (422) not limited to initiating online banking services can be performed.
[0042] FIG. 5 illustrates a flowchart of the method for facial recognition and eKYC Authentication. In an exemplary embodiment, authenticating the digital identification of the user is for the process of e-KYC of by relying parties in the event the user is new. This begins with the relying party creating an intent (502) of the digital identification. This prompts the mobile device of the user to scan a "live" biometric photo information (504) of the user. The liveliness of the biometric photo is checked at the ID4L app (508) as well as by the facial recognition services (506). The digitally signed photo from the DTC/VC along with the PKI certificate is sent to the relying party to perform verification (510). The ID4L verifier validates the PKI certificate (512) which is also checked at the PKI Certification Authority (CA) (514). The ID4L verifier then validates the integrity of the DTC/VC photo data within data groups 1 to 16 against the PKI certificate (516), and then compares it against the user photo that has been passed liveness detection (518) to confirm user identity and to prevent claimant impersonation attacks. Responsive to successful verification, the ID4L app on the mobile device forwards this status (520) to the relying party. The relying party then sends a request for PKI signing (522) to the ID4L app to perform verification (524). This prompts the app on the mobile device of the user for a PKI password (526) for the user which is then used to generate a key and digitally sign challenge nonce (528). The ID4L verifier validates the PKI certificate (530) which is also checked at the PKI Certification Authority (CA) (532). Responsive to successful verification, the ID4L verifier, verifies the signed data (534) and the relying party executes digital transactions (536), such as but not not limited to opening a new bank account.
[0043] FIG. 6 illustrates a flowchart of the iForm application with digital signature. In an exemplary embodiment, authenticating the digital identification of the user is for the purpose of data acquisition. This begins with the user invoking an “Application Form” (602) in the relying party's app on the users mobile device, creating an intent to populate verifiable personal data in the Application Form (604). The iForm Services generates a security code (606) followed by a QR Code (608) to be sent to the relying party’s app. This QR code is then displayed on the screen (609) to be scanned by the ID4L Services app (610) after which additional QR code data is generated (612) and stored (616). The additional QR code data along with a session token, Form ID and response URL from the relying party’s app is sent to the iForm Services to be verified (614). Once the session token is verified, the Form ID and the response URL is validated (618) in order to proceed with obtaining and forwarding (620) an iForm template to the ID4L Services app (622). This prompts the ID4L Services app to verify iForm QR Code and populate the relevant information from DTC/VC into the Application Form (624). The ID4L Services APP then prompts the user to scan a “live” biometric photo information of the user (628) and send a digitally signed photo from DTC/VC, along with the PKI certificate to the relying party to perform verification. The relying party validates (630, 632) the integrity of the DTC/VC photo data using PKI certificate and then compare it against the user photo that has passed liveness detection to confirm user identity and to prevent claimant impersonation attacks. If the Facial Verification is successful, the relying party’s App can further request the user to enter PKI password (634) to digitally sign (636) the completed iForm. Before final submission, the iForm is encrypted by the ID4L Services app with a security code (638) which is then decrypted at the relying party’s app (640) and verified (642) before being sent to the relying party’s app for final submission (644). The ID4L Services app saves the transaction details (646) and displays a message (648) on the user’s mobile device.
[0044] The integrity of the DTC/VC data including the biometric information, for instance finger print or photo, is safeguarded by the digital signatures of the Document Issuer and decentralised digitally verifiable credential user. The relying party can validate the data integrity by checking the Hash of data groups 1 to 16 (DG1 - DG16) before proceeding to the subsequent steps to use the DTC/VC for (a) Biometric verification with fingerprint and facial data and (a) completion of service application form with other data such as name, date of birth, email address, phone number, etc. By placing the DTC/VC data solely under the control of decentralised digitally verifiable credential, the needs to have a “Central Biometric Repository” to perform biometric verification for the relying parties is eliminated. The decentralised digitally verifiable credential users is empowered to have full control over the type and amount of personal data being shared with the relying parties.
[0045] It will be apparent to those skilled in the art that the system and method for decentralising digital identification of the disclosure may be provided using some or all of the mentioned features and components without departing from the scope of the present disclosure. While various embodiments of the present disclosure have been illustrated and described herein, it will be clear that the disclosure is not limited to these embodiments only.
Numerous modifications, changes, variations, substitutions, and equivalents will be apparent to those skilled in the art, without departing from the spirit and scope of the disclosure, as described in the claims.

Claims

1. A method for decentralising digital identification, said method comprising: proofing identification of a user to generate a digital identification on the user’s mobile device; activating the digital identification of the user to create a decentralised digitally verifiable credential; and authenticating the digital identification of the user by relying parties; wherein proofing identification of the user to generate the digital identification on the user’s mobile device further comprises if the user holds a physical identification verifying authenticity of the physical identification using one- to-one fingerprint verification by the issuing authority; and generating a PKI certificate on the user’s mobile device if the user holds an NFC-enabled mobile device and passport verifying authenticity of the passport using one-to-one facial recognition with liveness detection by the issuing authority; and generating a PKI certificate on the user’s mobile device activating the digital identification of the user to create a decentralised digitally verifiable credential further comprises creating, based on the PKI certificate, a PKI password for the user which will be used to generate digital signatures and to secure the digital identification stored in the mobile device; and storing the PKI Certificate and the digital identification data in accordance to a standard format on the mobile device of the user. The method according to claim 1 wherein authenticating the digital identification of the user by relying parties further comprises the relying parties installed with individual decentralised verifiers to have all identity validated when performing any transactions. The method according to claim 1 wherein authenticating the digital identification of the user by relying parties further comprises the relying parties using a centralized verifier to have all identity validated when performing any transactions. The method according to claim 1 wherein authenticating the digital identification of the user by relying parties further comprises creating, by a relying party, an intent of the digital identification; prompting, by the digital identification, a PKI password for the user; generation of a key and digitally signing on challenge nonce; validating by the relying party, the integrity of the digital identification data using data groups 1 to 16; verifying by a verifier the user identity. The method according to claim 1 wherein authenticating the digital identification of the user for the purpose of transaction authorization, by relying parties to engage in digital transaction further comprises creating, by a relying party, an intent of the digital identification; scanning, by the mobile device of the user, a biometric information of the user; sending a photo, scanned biometric information and the PKI certificate to the relying party to perform verification; validating by the relying party, the integrity of the digital identification data using data groups 1 to 16; verifying the scanned biometric information by the relying party using the photo and facial recognition with liveness detection to prevent claimant impersonation attacks; verifying by a verifier the user identity using the PKI certificate; responsive to successful verification, performing the digital transaction by the relying party, not limited to initiating online banking services. The method according to claim 1 wherein authenticating the digital identification of the user for the process of e-KYC of by relying parties in the event the user is new, further comprises creating, by a relying party, an intent of the digital identification; scanning, by the mobile device of the user, a biometric information of the user; 21 verifying the scanned biometric information by the relying party using the photo and facial recognition with liveness detection to prevent claimant impersonation attacks; prompting, by the digital identification, a PKI password for the user; generation of a key and digitally signing on challenge nonce; sending the scanned biometric information and the PKI certificate to the relying party to perform verification; validating by the relying party, the integrity of the digital identification data using data groups 1 to 16; verifying by a verifier the user identity using the PKI certificate; and responsive to successful verification, performing the digital transaction by the relying party, not limited to opening a new bank account. The method according to claim 1 wherein authenticating the digital identification of the user for the purpose of data acquisition, by relying parties further comprises creating, by a relying party, an intent to populate iForm with digitally verifiable credential; scanning, by the mobile device of the user, a biometric information of the user; sending a photo, scanned biometric information and the PKI certificate to the relying party to perform verification; validating by the relying party, the integrity of the digital identification data using data groups 1 to 16 for the purpose of populating in online forms; 22 verifying the scanned biometric information by the relying party using the photo and facial recognition with liveness detection to prevent claimant impersonation attacks; verifying by a verifier the user identity using the PKI certificate; responsive to successful verification, performing the digital transaction by the relying party, not limited to services and agreements. m for decentralising digital identification, said system comprising: a mobile device with a secure storage; a unique multifactor cryptographic and biometric authenticator installed on the mobile device; and a certified verifier; wherein the system is capable of proofing identification of a user to generate a digital identification on the user’s mobile device; activating the digital identification of the user to create a decentralised digitally verifiable credential; and authenticating the digital identification of the user by relying parties; wherein proofing identification of the user to generate the digital identification on the user’s mobile device further comprises if the user holds a physical identification verifying authenticity of the physical identification using one- to-one fingerprint verification by the issuing authority; and generating a PKI certificate on the user’s mobile device 23 if the user holds an NFC-enabled mobile device and an passport verifying authenticity of the passport using one-to-one facial recognition with liveness detection by the issuing authority; and generating a PKI certificate on the user’s mobile device activating the digital identification of the user to create a decentralised digitally verifiable credential further comprises creating, based on the PKI certificate, a PKI password for the user which will be used to generate digital signatures and to secure the digital identification stored in the mobile device; and storing the PKI Certificate and the digital identification data in accordance to a standard format on the mobile device of the user. The system according to claim 8 wherein authenticating the digital identification of the user by relying parties further comprises the relying parties installed with individual decentralised verifiers to have all identity validated when performing any transactions. The system according to claim 8 wherein authenticating the digital identification of the user by relying parties further comprises the relying parties using a centralized verifier to have all identity validated when performing any transactions. 24 The system according to claim 8 wherein authenticating the digital identification of the user by relying parties further comprises creating, by a relying party, an intent of the digital identification; prompting, by the digital identification, a PKI password for the user; generation of a key and digitally signing on challenge nonce; validating by the relying party, the integrity of the digital identification data using data groups 1 to 16; verifying by a verifier the user identity. The system according to claim 8 wherein authenticating the digital identification of the user for the purpose of transaction authorization, by relying parties to engage in digital transaction further comprises creating, by a relying party, an intent of the digital identification; scanning, by the mobile device of the user, a biometric information of the user; sending a photo, scanned biometric information and the PKI certificate to the relying party to perform verification; validating by the relying party, the integrity of the digital identification data using data groups 1 to 16; verifying the scanned biometric information by the relying party using the photo and facial recognition with liveness detection to prevent claimant impersonation attacks; verifying by a verifier the user identity using the PKI certificate; responsive to successful verification, performing the digital transaction by the relying party, not limited to initiating online banking services. 25 The system according to claim 8 wherein authenticating the digital identification of the user for the process of e-KYC of by relying parties in the event the user is new, further comprises creating, by a relying party, an intent of the digital identification; scanning, by the mobile device of the user, a biometric information of the user; verifying the scanned biometric information by the relying party using the photo and facial recognition with liveness detection to prevent claimant impersonation attacks; prompting, by the digital identification, a PKI password for the user; generation of a key and digitally signing on challenge nonce; sending the scanned biometric information and the PKI certificate to the relying party to perform verification; validating by the relying party, the integrity of the digital identification data using data groups 1 to 16; verifying by a verifier the user identity using the PKI certificate; and responsive to successful verification, performing the digital transaction by the relying party, not limited to opening a new bank account. The system according to claim 8 wherein authenticating the digital identification of the user for the purpose of data acquisition, by relying parties further comprises creating, by a relying party, an intent to populate iForm with digitally verifiable credential; scanning, by the mobile device of the user, a biometric information of the user; 26 sending a photo, scanned biometric information and the PKI certificate to the relying party to perform verification; validating by the relying party, the integrity of the digital identification data using data groups 1 to 16 for the purpose of populating in online forms; verifying the scanned biometric information by the relying party using the photo and facial recognition with liveness detection to prevent claimant impersonation attacks; verifying by a verifier he user identity using the PKI certificate; responsive to successful verification, performing the digital transaction by the relying party, not limited to services and agreements.
PCT/MY2021/050117 2021-08-16 2021-12-09 System and method for decentralising digital identification WO2023022584A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2021004690 2021-08-16
MYPI2021004690 2021-08-16

Publications (1)

Publication Number Publication Date
WO2023022584A1 true WO2023022584A1 (en) 2023-02-23

Family

ID=85240851

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2021/050117 WO2023022584A1 (en) 2021-08-16 2021-12-09 System and method for decentralising digital identification

Country Status (1)

Country Link
WO (1) WO2023022584A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230196830A1 (en) * 2021-12-17 2023-06-22 Lenovo (Singapore) Pte. Ltd. Verification of liveness and person id to certify digital image

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200026834A1 (en) * 2018-07-23 2020-01-23 One Kosmos Inc. Blockchain identity safe and authentication system
JP2020064483A (en) * 2018-10-18 2020-04-23 株式会社日立製作所 Individual identification assisting device and individual identification assisting method
JP2020064541A (en) * 2018-10-19 2020-04-23 富士通株式会社 Identity verification program, identity verification method and information processing apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200026834A1 (en) * 2018-07-23 2020-01-23 One Kosmos Inc. Blockchain identity safe and authentication system
JP2020064483A (en) * 2018-10-18 2020-04-23 株式会社日立製作所 Individual identification assisting device and individual identification assisting method
JP2020064541A (en) * 2018-10-19 2020-04-23 富士通株式会社 Identity verification program, identity verification method and information processing apparatus

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230196830A1 (en) * 2021-12-17 2023-06-22 Lenovo (Singapore) Pte. Ltd. Verification of liveness and person id to certify digital image

Similar Documents

Publication Publication Date Title
US9384338B2 (en) Architectures for privacy protection of biometric templates
US7188362B2 (en) System and method of user and data verification
US9654468B2 (en) System and method for secure remote biometric authentication
KR100876003B1 (en) User Authentication Method Using Biological Information
EP2648163B1 (en) A personalized biometric identification and non-repudiation system
EP2115993B1 (en) Method for generating digital fingerprint
JP4176898B2 (en) Personal authentication system, portable device and storage medium used therefor
US20030101348A1 (en) Method and system for determining confidence in a digital transaction
WO2007094165A1 (en) Id system and program, and id method
CN109150535A (en) A kind of identity identifying method, equipment, computer readable storage medium and device
TWM623435U (en) System for verifying client identity and transaction services using multiple security levels
JP2015525409A (en) System and method for high security biometric access control
US20230133418A1 (en) Personalised, server-specific authentication mechanism
CN114531277A (en) User identity authentication method based on block chain technology
US20190007218A1 (en) Second dynamic authentication of an electronic signature using a secure hardware module
US11444784B2 (en) System and method for generation and verification of a subject's identity based on the subject's association with an organization
WO2023022584A1 (en) System and method for decentralising digital identification
Cavoukian et al. Keynote paper: Biometric encryption: Technology for strong authentication, security and privacy
JP2001312477A (en) System, device, and method for authentication
Bechelli et al. Biometrics authentication with smartcard
Nashwan et al. Mutual chain authentication protocol for SPAN transactions in Saudi Arabian banking
JP2006293473A (en) Authentication system and authentication method, terminal device, and authentication device
JP2007258789A (en) System, method, and program for authenticating agent
US20240129139A1 (en) User authentication using two independent security elements
KR102389587B1 (en) Apparatus and method for verifying liveness of facial recognition biometric information

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21954358

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE