WO 2006/039742 PCT/AU2005/001555 AUTHENTICATION SYSTEM The present invention relates to a system for authenticating the identity of a user of the system and, more particularly, a system within which an identity may be 5 established with reference to independent external data sources. BACKGROUND Privacy and availability of personal information have become issues as the dissemination of such information is 10 increasingly put beyond the personal control of the individual. At the same time the validity of a person's identity has become a major issue for companies relying on electronic transfer of monies and the purchase of goods and services over distributed data networks such as the 15 Internet. For the* individual the right to privacy and the invasion of that privacy by practices such as data mining have led to attempts at legislative control and the threat of penalties, but such measures are proving to be of 20 limited effectiveness. It is an object of the present invention to address or at least ameliorate some of the above disadvantages. Note 25 The term "comprising" (and grammatical variations thereof) is. used in- this specification in the inclusive sense of WO 2006/039742 - 2 - PCT/AU2005/001555 "having" or "including", and not in the exclusive sense of "consisting only of". BRIEF DESCRIPTION OF INVENTION Accordingly, in a first broad form of the 5 invention, there is provided a system for the authentication of. the identity of an individual; said system comprising a portion of a database storage device; said portion owned by said individual; said portion storing a plurality of identity confirming data ' items 10 under the control of said individual thereby to characterise said identity of said individual to. a predetermined level of certainty. Preferably, said identity confirming data items are verified by an external entity at the request of said 15 individual. Preferably, said database storage device is maintained by an Operating Organization independent of said individual and said reputable external organizations. 20. Preferably, access to data stored in said segment is by authorization of said individual. Preferably, said individual has access to said data through submission of personal identifiers Preferably, said personal identifiers include a 25 username and password.
WO 2006/039742 PCT/AU2005/001555 Preferably, said reputable external organizations include.government agencies. Preferably, said reputable external organizations include organizations subject to government regulations. 5 Preferably, data items for entry into said sector of -said database storage device are verifiable by said external organizations. Preferably, data is entered into said sector of said database by th.e steps of: 10 (a) said individual submits a data item to said Operating Organization for addition to said sector, (b) said Operating Organization seeks verification from a relevant source external organization, (c) said relevant source external organization 15 provides verification of said data item, (d) said Operating Organization advises said individual of said verification, (e) said individual accepts or rejects addition of said item to said sector. 20 Preferably, each verified data item in said sector is assigned a value. Preferably, said value is. a function of characteristics of said item and status of said source external organization verifying said item.
WO2006/039742 PCT/AU2005/001555 Preferably an accumulatiLon of said values determines a score; said score providing a reliability indicator of authenticity of said individual's identity. Preferably, said Operating Organization provides 5 authenticated identity scores to requesting external organizations when authorized to do so by said individual. Preferably, said individual nominates at least one independent referee for registration with said operating Organization. 10 Preferably, a request made by said individual for alteration of data stored in said segment is acted upon only on receipt of confirmation of said request by said at least one independent referee. Preferably, said data items may include information 15 contained in an individual's passport 'or identity document. Preferably, said data items may include a photo identification of said individual. Preferably, said data items may include a biometric profile of said individual. 20 Preferably, said data items may include an individual's driver's licence. Preferably, said data items may include bank statements. Preferably, said data items may include electoral roll 25 entries.
WO 2006/039742 PCT/AU2005/001555 -5 Preferably, said data items may include telephone book entries. Preferably, -said data items may include a Public Key Infrastructure digital cer-tificate. 5 In a further broad form of the invention there is provided a method for establishing a reliability score for the identity of an individual; said method including the steps of; (a) establishing an operating organization for 10 maintaining an identity item storage database, (b) selling a sector of said database to said individual, (c) entering into said sector items of identity information verified by reputable external 15 organizations, (d) assigning a value score to each of said items of identity information as a function of.quality of said information and status of said external organization, (e) determining an identity reliability score for 20 said identity. Preferably, said individual controls entry of information into said database sector. Preferably, said identity controls release of said reliability score to requesting organizations. 25 The method of any previous claim wherein alterations of data items in said database sector at a request of said WO 2006/039742 - 6 - PCT/AU2005/001555 individual requires confirmation of said request by an independent referee. Preferably, the identity of said referee is .not included in said portion of said database storage device. 5 In a further broad form of the invention there is provided a system for the authentication of the identity of a client to a predetermined level of confidence; said system including; (a) an Operating Organization providing authentication of 10 said identity of. said client to a Requesting .Organization, (b) a digitized collection of documentation identifying said client; said digitized collection under control of said Operating organization. 15 Preferably, the system further includes a second channel identifier wherein input digitized data is compared with stored digitized data; a match between said input digitized data and said stored digitized data confirming said input digitized data originated from said individual 20 client. Preferably, authenticity of said collection of documentation is attested to by a suitable third party. The system of claim 36 wherein said digitized collection of documentation is encrypted; access to said digitized 25 collection for modification of said digitized collection of data being restricted to said Operating Organization; said WO 2006/039742 7 PCT/AU2005/001555 modification permitted only when authorization is provided by said client. Preferably, modification of said digitized collection requires confirmation of said authorization from a third 5- party referee. Preferably, said stored digitized data is retained in an electronically readable smart card. Preferably, said stored digitized data is a biometric profile of said client. t0 Preferablyr said input digitized data is a biometric element of said client. Preferably, said biometric element is at least one fingerprint. Preferably, said biometric element is at least one 15 iris scan. Preferably, said biometric profile is a voice print. Preferably, said stored digitized data is an alphanumeric string known to said client. Preferably, said digitized data input is said number 20 known to said client. Preferably, said electronically readable smart card stores a unique client identifier number. Preferably, a confirmed match between said data input and said stored digitized-data enables transmission of said 25 unique client identifier to said Operating organization.
WO 2006/039742 PCT/AU2005/001555 Preferably, receipt of said unique client identifier by said Operating Organization enables said Operating Organization to provide authentication of a said client's identity to a said Requesting Organization. 5 In yet a further broad form of the invention there is provided a method for authentication of a client identity; said method including the steps of: (a) establishing a client identity to a predetermined level of confidence th-rough a collection - of 10 identifying documentation, (b) digitizing said collection of identifying documentation for retention in a secure' database controlled by an Operating Organization, (c) providing an electronically readable smart card 15 containing a stored digitized data item, (d) providing said smart card with a unique identifying number; a copy of said number' retained by said Operating Organization Preferably, said stored digitized data item is a 20 biometric profile of said client. Preferably, said stored digitized item is an alphanumeric string known to said client. In still a further broad form of the invention there is provided, an identity confirming smart card; said smart 25 card retaining a digitized identifier element associated with an owner of said smart card; said smart card further WO 2006/039742 PCT/AU2005/001555 9 retaining a unique identification number; said -card adapted to be read by a suitable smart card reader so that said digitized identifier element may be compared with .an input provided by said owner of said card; a match of said 5 digitized identifier element and said input providing confirmation of identity of said owner. Preferably, said digitized identifier element is a biometric profile of said owner. Preferably, said input provided by said owner is a 10 biometric element of said owner. Preferably, said biometric element is at least one fingerprint. Preferably, said biometric element is at least one iris scan. 15 Preferably, said biometric profile is a voice print. Preferably, said digitized identifier element is an alphanumeric string known to said owner. Preferably, said input provided by said owner is said alphanumeric string know to said owner. 20 In a further broad form of the invention there is provided a system for the authentication to a third party of the identity of a client to a predetermined level of confidence; said system including: 25 an Operating Organization providing authentication of said identity of said client to said third party WO 2006/039742 PCT/AU2005/001555 - 10o either - at the instigation of said client or at the instigation of said third party precedent to. completion of a transaction between said client and said third pa.rty. 5 Preferably said third party is contractually associated with said Operating Organisation. In- a further broad form of the invention there is 10 provided media programmed to effect the system described above. BRIEF DESCRIPTION OF DBAWINGS 15 Embodiments of the present invention will now be described with reference to the accompanying drawings wherein: Figure 1 is a schematic representation of interchanges of information relating to an identity according to a 20 preferred embodiment of an identity authentication system, Figure 2 is a flow chart showing an example of an initial process of establishing an - identity with an Operating Organization according to the invention, Figure 3 is a flow chart indicating the major steps in 25 providing a confirmation of identity to a. Requesting Organization, WO 2006/039742 PCT/AU2005/001555 - 11 Figure 4 is a schematic representation of a preferred arrangement of interchange of information between elements of an authentication -system according to the invention, Figure 5 is a schematic indication of a further 5 preferred arrangement of interchange of information between elements of the authentication system of Figures 1 to 4. DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS First Preferred Embodiment 10 With reference to Figure 1 an authentication system 10 is comprised of an Operating Organization 12, individual 'clients 14 and External Organizations (or third parties) 16 and 18. The Operating Organization 12 may be a government 15 agency, but in at least one preferred form of the invention, is a private for-profit company. When constituted as the latter, the Operating Organization 12 will operate according to a constitution and may be governed by a board made up of stake-holders with an 20 interest in, arid concern for, privacy matters. Membership of the board may include for example, representatives from privacy advocacy groups, consumer organizations, government instrumentalities such as Austrac, and business. The "products" of the Operating Organization 12 are 25 the authenticated identities 13 of individual clients 14. Individual clients 14 pay for the services of the operating WO 2006/039742 PCT/AU2005/001555 12 Organization 12, and for identity 'reliability 'scores" which the Organization 12 may make available for a fee to Requesting External Organizations 16. The Operating Organization 12 maintains a database 20 5 and as part of its service, sells or leases a portion or sector 22 of the physical database to a participating individual client 14. The client 14 through the contract of sale or lease thus becomes the legal owner of that sector 22 of the database 20 assigned to him or her for the 10 storage of information establishing his or her identity 13. Legal ownership of the database .sector 22 confers. control of access, so that entry into and extraction from the database 20, or the alteration of data it contains, may only occur by the authority of the client 14. Unauthorised 15 data mining by internal or external entities is rendered illegal by virtue'of ownership of the database sector 22. The data stored as Data Items 21 in the client's sector 22 of the database 20 may derive from a number of Source External Organizations 18 and take a number of .20 forms. Thus, typically it will include, name, address, date of birth, but in addition may include extracts or copies of a driver's licence, passport or other identity document, photo identification, a biometric profile, bank statements, extracts from telephone directo-ries and the electoral role 25 for example. In at least one preferred embodiment of the WO 2006/039742 PCT/AU2005/001555 - 13 invention, a digitised photo identification is a mandatory data item to be included. The individual client 14 communicates with the Operating Organization 12 primarily electronically, for 5 example by telephone, Short Message Service (SMS) or over the Internet by email and, in -this first embodiment, uses an alphanumeric based identification protocol such as a username and password. Two types of data items 21 may enter the database 10 sector 22; non-verified -and verified. Non-verified data items 21 are those entered into the database sector 22 by the individual and which are not submitted to a reputable third party for verification. Verified data items 21 by contrast, are those items that are entered into the 15 database 20, only after verification has been received from a reputable third party (Source External Organization 18). Both types of data only relate to the identity of the individual client 14 and the source of that data. The process of adding a verified data item 21 to the' 20 sector 22 and its authentication is as follows: (a) the individual logs onto the operating Organization's web site using his or her username and password, (b) the individual submits a data item 21 to the 25 Operating Organization 12 for inclusion into his or her database sector 22, WO 2006/039742 PCT/AU2005/001555 14 (c) the Operating Organization 12 contacts the apparent author of the data item (Source External Organization 18), for example a government department which issued the item, requesting 5 verification, (d) if verification is received the data item 21. is entered into the database sector 22 and confirmation of the entry sent to the -individual. Another process by which an identity-establishing data 10 item 21 may enter the database sector 22 is as follows: (a) the individual supplies to the Operating organization 12 the details of external entities (Source External Organizations 18) which he or she believes retain information about the individual, 15 (b) the Operating Organization 12 then approaches these entities with requests under Freedom of Information provisions for any information held in respect of the individual, (c) the information supplied may by ' definition, 20 depending on the entity from which it is obtained, be verified and thus added to the database sector 22, (d) or the information may be submitted to a relevant reputable third party for verification and then 25 added to the sector 22.
WO 2006/039742 PCT/AU2005/001555 - 15 With further reference to Fig. 1, an identity establishing data item 21 for a respective individual client 14, is always entered into -the relevant portion or sector 22 of the database 20 under. the control of that 5 respective individual client 14. Each data item 21 that is added to the database sector 22 is assigned a reliability value. Thus an item originating from a government department and verified in writing by that department may be -awarded a maximum 10 reliability value, whereas a similar item for which only a verbal telephone verification is forthcoming will be credited with a lower value; A submitted item which is only a photocopy of a telephone book for. example, and is only verified by perusal of the relevant book, will be credited 15 with a relatively low value. . Accumulated values, are used. to assign a reliability score to the identity of the individual as. represented by the data in the. database sector 22. Authenticated identities 13 with attendant reliability 20 scores, may be made available to third parties (Requestintg External Organizations 16) on request and with the permission of the individual owner of the identity, for a fee. The individual client 14, as owner of the database 25 sector 22 has authority to view and alter information retained in the database 20. However in at least one WO 2006/039742 PCT/AU2005/001555 - 16 preferred embodiment of the invention, the individual client 14 appoints at least one "referee", a person known to the individual client 14 and registered' with the Operating organization 12.- When the Operating organization 5 12 receives an instruction to alter an item of information in the database 20, the process for alteration is only put into effect if confirmation of the instruction is received from the, client's referee(s). By this means, an unauthorized person who. has illegally acquired the 10 individual client's username and password will still be unable to make alterations to the data items 21 maintained by the Operating Organization 12. One of the applications of the present system is in the situation where an individual requires proof of 15 identity to join some organization or obtain a .benefit. Examples could include the applications for visas. or passports, opening of bank accounts obtaining accreditation to join a gambling facility or gain access to restricted material. 20 As an initial step, the individual may apply for the membership or benefit and, where proof of identity is required, refer the benefactor to the Operating organization 12. On receipt of a request from a Requesting Organization 16, the operating organization 12 contacts the 25 individual client 14 for authority to release the reliability score. No personal or identity information is WO 2006/039742 PCT/AU2005/001555 - -12 supplied to the Requesting Organization, only the reliability score. The present system provides considerable security over the identity of an individual. Each request made to the 5 Operating Organization 12 must be with the approval of the individual. Alterations to the data items defining the identity cannot be made without independent confirmation of authorization from the independent referee. Although the system cannot per se prevent a person 10 from establishing more than one identity on the Operating Organization database 20, the inclusion of photo identification of individuals allows for automatic data matching to detect fraudulent identities. Second Preferred Embodiment 15 The system of the first embodiment described above offers to Reqiesting Organizations a significant level of confidence in the bona fides of the alleged identity of an individual client of the Operating System. However it remains dependent on the security of a client's user name 20 and password. Although the acquisition of the user name and password by an unauthorized person does not allow manipulation by that person of the data stored in the Operating Organization database, the Organization will still provide an identity authentication and reliability 25 score when.authorized to do so by someone providing a valid user name and password. The second preferred embodiment WO 2006/039742 PCT/AU2005/001555 - 18 introduces a second channel identifier to prevent this situation. As for the First Preferred Embodiment above, with reference to Figure 2, central also to the system of the 5 Second Preferred Embodiment is a secure collection of proof of identity information 110 stored as digital data on a suitable "digital storage- device 112, and an Operating Organization 116 which mediates access to the information and provides identity authentications, An additional 10 central aspect of this embodiment is the use of the "second channel" identifier. The stored information 110 can be any conventional proof of identity information, including identification numbers of bank accounts, driver's licence, tax file, 15 passport etc, and may also include a digitized biometric profile (eg fingerprint, iris scan etc). Before a person becomes a client of the Operating Organization 116, the documentary proof of his or her identity is firstly 'attested to by a "trusted third party" 2D 114. This may be a member of the community empowered to witness legal documents for example, who, having satisfied him or herself as to the documents' authenticity, signs a statement to that effect. The authenticated documentation is then presented by 25 the client in person to the Operating Organization 116, where it is digitized, encrypted and stored, thus providing WO 2006/039742 PCT/AU2005/001555 - 19 a proof of identity to some predetermined level of confidence depending on the, quantity and quality of the documentation presented. The second channel identifier may take a number of 5 forms involving the use of an electronically readable ID smart card. In one form of the second channel identifier using a smart card, the card retains a number. or an alphanumeric string known only to the client, In another specially preferred form, the card retains an item of 10 biometric data of the client, such as at least one fingerprint, an iris scan, or voice print, which is digitized and stored on the ID smart card. The client when registering with the Operating Organization, selects or is assigned a unique client 15 identifier number which is also stored on the ID smart card and'recorded in the Organization's database. The client's digitized proof of identity information 110 may be stored in any of a variety of storage devices. These may include a sector of a central database maintained 20 by the Operating Organization 116 (as in the first embodiment above), or may be a data storage device of the client's choosing, for example his or her PC, hand-held PDA or even in a memory chip' of the ID smart card itself. In any case, the information 110 is stored in 25 encrypted form and is controlled by the Operating Organization 116 to the extent that, any additions or WO 2006/039742 PCT/AU2005/001555 - 20 modifications to the stored data can only be made with the. permission of the client and only effected by the Operating Organization 116. Again, as in the first preferred embodiment, the request of the client to change any of the 5 stored data must -preferably be confirmed by. a trusted referee initially appointed by the client at the time of registration with the Operating Organization. The operating Organization 116 stores on behalf of a client, a number of unique identifiers 124 'for use with the 10 Various authorities and organizations (Requesting Organizations) that the client deals with and for which proof of identity is required for transactions with those Organizations. Such Requesting Organizations may include government departments and banks for example.. These unique 15 identifiers may be such identifiers 124 of the client as are already on record with these Requesting Organizations, for example, social, security, tax file, bank account numbers and the like. ID Smart Card as Second Channel Identifier 20 In the case of use of an ID smart card with a biometric profile for the second channel identifier, ID smart card 118 stores as a minimum the unique client identifier number 120 and the digitized biometric profile 122. To use the card, the owner of the card, that is to say 25 the client, passes the card through a suitable reader connected to an Internet enabled device and also presents WO 2006/039742 PCT/AU2005/001555 - 21 his 'or her biometric element to the reader. If the presented biometric element matches the 'digitized biometric profile recorded in the card, the card enables transmission of the card identifier number to the Operating 5 Organization. In the case that the smart card has recorded in it a number or alphanumeric string known only to the client, use of the card involves passing the card through a card reader and then entering the number, If the number entered by the TO client and the number stored on the card match, the card enables transmission of the card identifier number to the Operating Organization. The ID smart card may thus be used when a client needs to make a transaction with any -of the Requesting 15 Organizations for which identifier numbers are retained by the Operating Organization. A typical example could be where a bank requires a second channel identification before permitting an Internet-based transaction. The authentication process relies on the Operating 20 Organization . receiving a request for confirmation of -identity of a client together with the client identification number. This number, encrypted on the smart card, is only transmitted if data stored on the ID smart card matches data entered by the client, either as a 25 biometric profile or a number, A match of the data read off the card and that entered within a set time, is WO 2006/039742 _22 - PCT/AU2005/001555 confirmation for the Operating Organization that the client identification number did issue from the registered client. Hence the. Operating Organization is in a position to authenticate the identity of the client to a Requesting 5 Organization. Voice Print as Second Channel Identifier In a variation of the system of the Second Preferred Embodiment above in which the presented biometric element was matched with a digitized copy of the biometric profile 10 retained in a smart card,. the voice. print need not involve the use of a smart card. In this embodiment of the invention, a client of the Operating Organization wishing to authenticate his identity may do so by speaking a prearranged password or word string 15 over a voice communication link with the Operating Organization, for example a phore line. As well a the voice transmissionr a PIN may be an additional security item. In this case the Operating Organization has on record in its database a copy of the voice print and the PIN and performs 20 the match checking function. If the voice print and PIN- match are correct, the Operating Organization provides the identifier number of the Requesting Organizatior for which the identity authentication is required. This may be done over the voice 25 communication link or via an email message over the Internet for example. Typically, this system of second WO 2006/039742 PCT/AU2005/001555 - 23 channel identification may be employed when a client has presented at a Requesting organization and is require to provide proof of identity. Fist .example of use .5 With reference to Figures 3 and 4, the following example of use is with reference to a bank account transaction, but a similar process would apply to other identity authentications by Requesting Organizations: 1. The client 200 presents at his or her bank 210 over the 10 Internet 212. The client's log on to the bank's web site may be in the normal way by presentation of a usernaMe, a password and PIN. When these are accepted, the client will be invited . to present the second channel identifier. 15 2. The client now presents his biometric element 214, be it in the form of a fingerprint or iris, and the smart card 216 to a 'reader 218 attached to the computer 220 being used by the client. A time limit may be set within which these operations must be completed. 20 3, The reader 218 (or software resident on the computer 220) performs an internal check that the presented biometric element 214 matches the digitized biometric profile stored on the card 216. If -the match i,s correct, the unique identifier niimber 222 of the card is sent to 25 the Operating Organization 224 with a request for authentication of identity. Also sent is the identity of WO 2006/039742 PCT/AU2005/001555 24 the Requesting Organization, in this example that of the bank 210. 4. The Operating Organizati!on 224 now has for processing, the unique identifier 222 of the card 216 (and thus the 5 Operating Organization client identification number), and the identity of the Requesting Organization, the bank 210. The, Operating Organization 224 now sends to the banlc 210 that identifier number, unique for the client, originally stored in the Operating Organization 10 database 226 for the bank. Second example of use Again with reference to Figure 4, a client 200 logs onto the bank 210 web site in order to make an Internet 1.5 based transaction. In preparation, the client requests that the Operating Organization provide the bank with authentication of his or her identity by use of the client's 10 smart card. When the bank demands a second channel identifier, the 20 client refers the bank to the Operating Organization. The bank contacts the Organization requesting authentication. Third example of use With reference to Figure 5, a client 300 presents in person at his or her bank for a transaction and is 25 requested to provide proof of identity. The process is then as follows: WO 2006/039742 PCT/AU2005/001555 -25 1. The client 300 presents his smart card 316 and biometric element 314 to a bank's reader 318. The presented biometric element is digitized and compared with the digitized copy stored on the card 316. If 5 the match is correct, the bank's computer system 320 transmits over the Internet '312, the ehorypted smart cart identifier number and the identity of the bank to the Operating Organization 324,. 2. The Operating Organization returns to the bank the 10 unique identifier for the client, originally stored with the Operating Organization for the bank. It will be understood that the system structured as described above provides incontrovertible proof that the 15 person presenting for a transaction is the true owner of the identifying information on record at the Requesting Organization. - The card number will only be transmitted to the Operating Organization if there is a match between the data entered by the. person presenting and that stored in 20 encrypted form on the card. Only if this card number is received by the Operating Organization will it in turn transmit that unique identifier known -by the Requesting Organization as belonging to the person presenting. Third Preferred Embodiment 25 In a variation of the system of the Second Preferred. Embodiment above in which the presented biometric element WO 2006/039742 PCT/AU2005/001555 - 26 was matched with a digitized copy of the biometric profile retained in a smart card, the biometric profile employed could be a voice print and the number be a Personal Identity Number (PIN). 5 In this embodiment of the invention, a client of the Operating Organization wishing to authenticate his identity may do so by Speaking a prearranged password or word string, and giving the PIN over a voice communication. link with the Operating Organization. In this case the Operating 10 Organization then has on record in its database a copy of the voice print and the PIN and performs the match checking function. If the voice print and PIN match is correct, it provides the identifier number of the authority or organization for which the identity authentication is 15 required,. This may be done over the voice communication link or via an email message over the Internet for example. The above describes only, some embodiments of the present invention and modifications, obvious to those 20 skilled in the art, can be made thereto without departing from the scope and spirit of the present invention.