WO2015124956A1 - Improvements relating to the processing of biometric data - Google Patents

Improvements relating to the processing of biometric data Download PDF

Info

Publication number
WO2015124956A1
WO2015124956A1 PCT/GB2015/050528 GB2015050528W WO2015124956A1 WO 2015124956 A1 WO2015124956 A1 WO 2015124956A1 GB 2015050528 W GB2015050528 W GB 2015050528W WO 2015124956 A1 WO2015124956 A1 WO 2015124956A1
Authority
WO
WIPO (PCT)
Prior art keywords
document
user
terminal
biometric
registry
Prior art date
Application number
PCT/GB2015/050528
Other languages
French (fr)
Inventor
Ralph Mahmoud Omar
Original Assignee
Omarco Network Solutions Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Omarco Network Solutions Limited filed Critical Omarco Network Solutions Limited
Publication of WO2015124956A1 publication Critical patent/WO2015124956A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C2209/00Indexing scheme relating to groups G07C9/00 - G07C9/38
    • G07C2209/40Indexing scheme relating to groups G07C9/20 - G07C9/29
    • G07C2209/41Indexing scheme relating to groups G07C9/20 - G07C9/29 with means for the generation of identity documents
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07CTIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
    • G07C9/00Individual registration on entry or exit
    • G07C9/20Individual registration on entry or exit involving the use of a pass
    • G07C9/22Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder
    • G07C9/25Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition
    • G07C9/257Individual registration on entry or exit involving the use of a pass in combination with an identity check of the pass holder using biometric data, e.g. fingerprints, iris scans or voice recognition electronically

Definitions

  • the present invention relates to improved methods and systems that utilise the biometric characteristics of a user in authentication of, for example, the association with and access to resources such as documents and assets.
  • the present invention also relates specifically to registering the association between a document and a user via the biometric characteristics of that user.
  • the present invention may also relate to the automated pre-preparation of biometric data.
  • biometric data such as the patterns of a user's iris, or the ridges of a user's fingers and palms are known to be practically unique to that user.
  • registering the association between that user's biometric data and a document representing an asset reduces the chance of the theft of that asset, as at a redemption stage, the association between the document and the user can be verified with a high level of certainty by checking that user's biometric characteristics.
  • Such documents may include banking documents that represent financial instruments (including investment instruments such as bonds), prize-draw tickets, lottery tickets and the like.
  • biometric data may include finger print parameters, iris scan parameter etc.
  • biometric cards are undertaken in specific data centres or by authorised bank officers armed with mobile technology to allow a degree of mobile registration. This is a very expensive process which adds to the cost of that card.
  • Each subsequent use of the card requires matching of the biometric data stored on the card with that of the person seeking authentication at a biometric terminal.
  • the advantage is considered to reside in the apparent speed of authentication as the check can be carried out locally.
  • One serious disadvantage of this process is that the biometric data is provided on the card and if the card is lost or stolen the biometric data can be decrypted form the card and a user's identity can become compromised.
  • identity swapping can be carried out in that the forgers biometric data can be substituted for that card thereby bypassing any security of the card. Also, the relatively high cost has acted as a bar to mass use of such technology.
  • the current aspect of the present invention seeks to address at least some of these problems.
  • an aspect of the present invention seeks to speed up, reduce the cost of, and improve the security relating to associating a document with a user.
  • a first aspect of the present invention provides a system for securely registering the association between a document and a user.
  • the system comprises at least one of: a secure terminal; a biometric identity registry for storing a set of biometric characteristics of the user; a document generation terminal; a document registry for storing a specification of the document; and a registration terminal.
  • the secure terminal may comprise at least one biometric sensor.
  • the secure terminal may comprise a processor.
  • the secure terminal may comprise a user identity provisioning means such as a ticket printer.
  • the ticket printer may be arranged to print an ID ticket.
  • the document generation terminal may comprise a document identity provisioning means such as a document printer for printing a copy of the document.
  • the registration terminal may comprise an input means such as a scanner for scanning the document and the ID ticket.
  • the secure terminal is configured, in use, to operate the at least one biometric sensor to determine biometric characteristics of the user.
  • the secure terminal may process using the processor those determined biometric characteristics to derive a set of biometric parameters unique to that user.
  • the secure terminal may be further configured, in use, to securely transmit the set of biometric parameters to the biometric identity registry.
  • the biometric identity registry may be configured, in use, to receive the set of biometric parameters and store it together with a corresponding user identity code.
  • the biometric identity registry may generate the user identity code.
  • the user identity code uniquely references the set of biometric parameters stored by the biometric identity registry.
  • the biometric identity registry may be further configured to, in response to the receipt of the set of biometric parameters from the secure terminal, transmit the corresponding user identity code to the secure terminal.
  • the secure terminal is further configured, in use, to receive the user identity code from the biometric identity registry, and operate the ticket printer to print the received user identity code on to a user-portable ID ticket.
  • the user identity code is ideally exhibited on the ID ticket in a machine-readable format.
  • the document generation terminal may be configured, in use, to receive a request to generate a document, the request comprising a specification. Ideally, the specification specifies the content of the document.
  • the document generation terminal may be arranged to send the specification to the document registry.
  • the document registry may be configured, in use, to receive the document specification and store it together with a corresponding document identity code that uniquely references the document specification stored by the document registry.
  • the document registry may be further configured to transmit the corresponding document identity code to the document generation terminal.
  • the document generation terminal may be configured, in use, to receive the document identity code from the document registry, and operate the document printer to print a copy of the document exhibiting the document identity code thereon in a machine- readable format.
  • the registration terminal is configured, in use, to process a registration transaction during which the registration terminal operates the scanner to scan the machine-readable codes of the ID ticket and the document to extract therefrom, respectively, the user identity code and the document identity code. Processing of the registration transaction by the registration terminal may further comprise pairing together the extracted codes, and transmitting said paired codes to an entity such as at least one of the biometric identity registry and the document registry so as to define a link between the document and the biometric parameters of the user.
  • a user does not necessarily need to have their biometric characteristics scanned every time a document is associated with that user.
  • This means that the system can be made more secure, and more respectful of a user's right to privacy; there is a far reduced chance of a fraudulent third party spoofing or intercepting the biometric characteristics of that user.
  • the present system it is possible for the present system to be deployed at lower expense, in that the relatively expensive biometric scanners need only be provided on the secure terminal, and do not need to be provided at the document generation terminal, nor the registration terminal.
  • a single secure terminal can support many tens or even hundreds of document generation terminals and registration terminals without an appreciable slow-down in the registration process, but realising an appreciable cost saving.
  • the system may further comprise a verification terminal for verifying the association between the user and the document.
  • the verification terminal comprises a scanner for scanning the document and the ID ticket.
  • the verification terminal is configured, in use, to: operate the scanner to scan the machine-readable code of at least the document to extract therefrom the document identity code; determine at least one of the user identity code and a set of biometric parameters unique to that user; and/or transmit a verification request to at least one of the document registry and the biometric identity registry, the verification request comprising the document identity code and at least one of the user identity code and the set of biometric parameters unique to that user.
  • At least one of the document registry and the biometric identity registry may be configured, in response to receiving the verification request, to: determine whether there is a predetermined link between the document and the biometric parameters of the user that are referred to by the verification request; and/or otherwise transmit to the verification terminal, a verification message verifying a predetermined link between the document and the biometric parameters of the user, thereby verifying the association between the user and the document.
  • the verification terminal may comprise at least one biometric sensor and a processor.
  • the verification terminal may be configured, in use, to determine the set of biometric parameters unique to the user by operating the at least one biometric sensor to determine biometric characteristics of the user.
  • the verification terminal may be arranged to process those determined biometric
  • the verification request may comprise the derived set of biometric parameters.
  • the processor of the verification terminal, and the processor of the secure terminal can each use a function that derives matching sets of biometric parameters from biometric characteristics of the same user.
  • secure terminal further comprises an image capture device. Ideally, this is positioned and arranged to capturing an image of the face of the user. Accordingly, the secure terminal is ideally configured, in use, to: operate the image capture device to capture an image of the face of the user; and operate the ticket printer to print the image of the face of the user on to the user-portable ID ticket together with the user identity code.
  • this allows a user to easily see who a printed ticket is associated with.
  • at least one of the biometric sensors of the secure terminal comprises an iris scanner positioned and arranged to capture an iris image of the iris of the user, the iris image being of a quality sufficient to allow the processor to derive, from that iris image, the set of biometric parameters unique to that user.
  • the iris scanner and the image capture device may be positioned relative to one another on the secure terminal and configured to enable the secure terminal to capture the image of the face of the user and also the iris image from the same position of the face of the user relative to the secure terminal.
  • the user doesn't need to move their face to allow the secure terminal to capture images of both the face and iris of that user, saving time.
  • the system further comprises a POS terminal configured, in use, to conduct a payment transaction, a successful payment transaction being communicated to the document generation terminal to authorise document generation.
  • the POS terminal may comprise a payment module arranged to receive a payment from a user, the successful payment transaction comprising receiving the payment.
  • the POS terminal may be further configured, in use, to communication for inclusion within the specification of the document, a reference to a payment value of the payment.
  • the system further comprises a payment validation authority in communication with the POS terminal.
  • the payment validation authority is ideally configured, in use, to transmit a payment validation message to the POS terminal that validates successful payment for generation of the document.
  • the system may further comprise a redemption terminal configured, in use, to conduct a document redemption transaction, a successful document redemption transaction authorising payment to a user of a redemption value associated with the document.
  • the document registry stores a redemption status associated with a respective document.
  • the redemption terminal comprises a scanner for scanning the document and the ID ticket.
  • the redemption terminal is configured, in use, to: operate the scanner to scan the machine-readable code of at least the document to extract therefrom the document identity code; determine at least one of the user identity code and a set of biometric parameters unique to that user; and send a query to the document registry to determine the redemption status associated with that document, the query including the extracted document identity code and the at least one of the user identity code and the set of biometric parameters.
  • the document registry may be configured, in use, to respond to the query to: validate the document redemption transaction on the basis of the redemption status, the document identity code, and at least one of the user identity code and the set of biometric parameters; and update the redemption status associated with that document in response to a successful document redemption transaction.
  • the "storage" of data by an entity may be the same as that entity otherwise having access to that data, for example via a secured communication network.
  • the document registry may be configured, in use, to determine the redemption value associated with the document by: comparing at least a portion of the specification of the document with an outcome of an event, the outcome being determined after receipt by the document registry of the specification of the document. Timestamps may be used to verify such chronology.
  • the document generation terminal may be configured, in use, to receive a request to generate a document, the request comprising a specification specifying content that references the event, and also a predicted outcome of the event, the document generation terminal being arranged to send the specification to the document registry.
  • the document registry may be configured, in use, to determine the redemption value associated with the document by comparing the predicted outcome of the referenced event with the outcome of that event, as defined by the specification associated with that document.
  • a secure terminal a processor
  • a ticket printer an ID ticket
  • a biometric identity registry a document generation terminal
  • a document printer a printed copy of a document
  • a document registry a specification of a document
  • a registration terminal a scanner
  • a verification terminal an image capture device
  • a biometric scanner an iris scanner
  • a fingerprint/hand scanner a POS terminal
  • a payment module a payment validation authority and a redemption terminal.
  • the method may comprise at least one of: determining (ideally at a secure terminal) using at least one biometric sensor, biometric characteristics of the user;
  • the user identity code in a user- portable format
  • a request to generate a document comprising a specification specifying content of the document
  • the document (ideally at the document generation terminal), in a user-portable format, the generated document including the document identity code;
  • a registration transaction for registering the association between the document and the user comprising:
  • pairing the document identity code with the user identity code and transmitting those paired codes - ideally to at least one of the biometric identity registry and the document registry - so as to define a link between the document and the biometric parameters of the user.
  • the method comprises verifying the association between the user and the document. This may involve transmitting (ideally via a verification terminal), a verification request. This may be to at least one of the document registry and the biometric identity registry. In any case, the verification request ideally comprising the document identity code and at least one of the user identity code and a set of biometric parameters unique to that user.
  • Verification may also involve receiving in response to the verification request (ideally from at least one of the document registry and the biometric identity registry), a verification message verifying a predetermined link between the document and the biometric parameters of the user, thereby verifying the association between the user and the document.
  • the method may further comprise conducting a payment transaction, ideally at a POS terminal.
  • a successful payment transaction authorises the step of generating the document, for example at the document generation terminal.
  • the payment transaction may comprise receiving a payment, a payment value of which is referenced by the specification.
  • Conducting the payment transaction may comprise receiving (e.g. at the POS terminal) from a payment validation authority a payment validation message that validates successful payment for generation of the document.
  • the method may comprise conducting a document redemption transaction, such as at a redemption terminal.
  • a successful document redemption transaction authorises payment to a user of a redemption value associated with the document.
  • a redemption status may be stored, for example at the document registry.
  • the redemption status is associated with a respective document, and the document redemption transaction comprises at least one of: sending a redemption query (ideally to the document registry) to determine the redemption status associated with that document, the query including at least one of: the document identity code, the user identity code and a set of biometric parameters unique to that user; validating the document redemption transaction on the basis of the redemption status and the at least one of: the document identity code, the user identity code and set of biometric parameters; and updating the redemption status associated with that document (ideally at the document registry) in response to a successful document redemption transaction.
  • the method further comprises determining the redemption value associated with the document by comparing at least a portion of the specification of the document (ideally held by the document registry) with an outcome of an event. Ideally, the outcome is determined after document generation, or after receipt by the document registry of the specification of the document.
  • the specification included with the request to generate a document comprises content that references the event, and also a predicted outcome of the event, and determining the redemption value associated with the document comprises comparing the predicted outcome of the referenced event with the outcome of that event.
  • Providing the user identity code in a user-portable format may comprises printing, e.g. at the secure terminal, the user identity code onto an ID ticket.
  • the user identity code may be printed onto the ID ticket in a machine-readable format, such as a barcode.
  • Generating the document at the document generation terminal in a user-portable format may comprise printing the document, the printed document exhibiting the document identity code of the document.
  • the document identity code is exhibited on the printed document in a machine-readable format, such as a barcode.
  • the method may further comprise scanning, e.g. at the registration terminal, the ID ticket and/or printed document to extract therefrom the respective user identity code and/or document identity code to facilitate their input for the registration transaction.
  • Figure 1 is a schematic diagram of an overview of a system according to a first embodiment of the present invention
  • Figure 2 is a schematic diagram of a document, in the form of a prize-draw ticket for use with the system shown in Figure 1 ;
  • Figure 3 is a schematic diagram of an extension to the system of Figure 1 ;
  • Figure 4 shows a flow diagram of a process that is a generalised version of the first embodiment of the present invention.
  • Figure 1 shows a system 10 according to a first embodiment of the present invention.
  • the system 10 is shown in overview in Figure 1 , and so, in the interests of clarity, not all the components of the system 10 are shown.
  • the system 10 comprises a secure terminal 20, a document generation terminal 30, a registration terminal 40, a biometric identity registry 50 and a document registry 60.
  • the system 10 also comprises a communications network 1 1 that enables communication between these system components, and others those not shown in Figure 1 , but as will be described in greater detail below.
  • computing resources may include processors for processing data, communication modules for communication with other computerised components, databases for data storage and user-interfaces to allow data to be presented to, and received from users.
  • computing resources may include processors for processing data, communication modules for communication with other computerised components, databases for data storage and user-interfaces to allow data to be presented to, and received from users.
  • the secure terminal 20 comprises a plurality of biometric sensors, namely an iris scanner 21 for capturing an iris image of the iris of a user 1 and a fingerprint and palm scanner 22 for capturing a fingerprint and palm image of the hand of the user 1.
  • the secure terminal 20 also comprises a ticket printer 23 for printing an ID ticket 200, and an image capture device 24 for capturing an image of the face of the user 1.
  • the secure terminal also comprises other components such as a processor 25.
  • the document generation terminal 30 comprises a document printer 31 for printing a copy of a document 300 in the form of a prize-draw ticket 300.
  • the registration terminal 40 comprises a scanner 41 for scanning the document 300 printed by the document printer 31 at the document generation terminal 30 and also the ID ticket 200 printed by the ticket printer 23 at the secure terminal 20.
  • the scanner 41 is arranged to scan the respective barcodes exhibited on the printed ID ticket 200 and document 300.
  • the terminals 20, 30, 40, the biometric identity registry, and the document registry of the system 10 interact with one another that allows an association between the user 1 and the document 300 to be securely registered in a way that is quicker, less expensive and more secure than prior known systems, especially for documents which represent assets (such as prize-draw tickets 300) for which it is beneficial to uniquely associate with the biometric data of their rightful owner.
  • assets such as prize-draw tickets 300
  • One of the ways that the present system is quicker than prior known systems relates to the fact that a user does not necessarily need to have their biometric characteristics scanned every time that user wishes to associate themselves with a document. This, in turn, means that the system can be made more secure, and more respectful of a user's right to privacy; there is a far reduced chance of a fraudulent third party spoofing or intercepting the biometric characteristics of that user.
  • the present system it is possible for the present system to be deployed at lower expense, in that the relatively expensive biometric scanners 21 , 22 need only be provided on the secure terminal 20, and do not need to be provided at the document generation terminal 30, nor the registration terminal 40. Furthermore, a single secure terminal 20 can support many tens or even hundreds of document generation terminals 30 and registration terminals 40 without an appreciable slow-down in the registration process, but realising an appreciable cost saving.
  • a user 1 wishing to use the system 10 approaches the secure terminal 20.
  • the secure terminal 20 is configured to operate the biometric sensors - namely the iris scanner 21 and the fingerprint and palm scanner 22 so as to determine the biometric characteristics of the user.
  • the user 1 may be instructed via a display screen 26 of the secure terminal about where to stand, where to position his or her face and hands and so forth.
  • the secure terminal also operates the image capture device 24 to capture an image of the face of the user.
  • the iris scanner 21 and the image capture device 24 are arranged relative to one another to enable the images of both the iris and the face of the user to be captured substantially simultaneously (or otherwise without requiring the user 1 to move or face towards independent face and iris capture devices).
  • the iris scanner 21 and the image capture device 24 may be mounted on or be part of the same device, and may even share components such as CCDs, lenses or the like, thereby reducing further the cost of the system 10 as a whole.
  • the biometric characteristics of the user 1 are then processed by a processor 25 of the secure terminal 20 to derive a set of biometric parameters unique to that user 1.
  • the biometric characteristics of the user 1 may be taken many times, with the different instances checked against one another.
  • the biometric parameters may be taken under different conditions, again to increase the reliability of the biometric parameters.
  • the secure terminal 20 may take a scan of the iris from different angles, and under different lighting conditions to ensure the key patterns of the iris persist across all conditions, and so are likely to be detected again when checking the biometric identity of a user 1.
  • the secure terminal may comprise a plurality of light sources of different wavelengths and/or positioned at different locations that are activated sequentially in order to capture a sequence of different images of the user's iris. Each image can be analysed with another in the sequence to determine what the key patterns of the iris are.
  • the sequence of comparable images may those that have been taken through different lenses each having a different viewpoint of the iris. The set of biometric characteristics are then securely transmitted over the
  • biometric identity registry 50 for storage thereat.
  • biometric characteristics are encrypted prior to transmission.
  • public-private key encryption between the biometric identity registry 50 and the secure terminal 20 is particularly useful.
  • the biometric identity registry 50 is configured to receive the set of biometric parameters and store it together with a corresponding user identity code.
  • the biometric identity registry 50 may assign the user identity code at random, or determine the user identity code by hashing one or more biometric parameters. Ideally, a combination of these two methods is used to allow the system to benefit from the security of a randomly assigned code at the same time as benefitting from the integrity of a code that is derivable from the biometric parameters. In any case, the resulting user identity code against which the set of biometric parameters is stored is unique.
  • the biometric identity registry 50 is then configured to respond to the secure terminal 20 by sending to it the user identity code.
  • the secure terminal 20 is configured to receive the user identity code from the biometric identity registry 50, and operate the ticket printer 23 to print the received user identity code on to a user-portable ID ticket 200.
  • the user identity code is exhibited on the ID ticket 200 as a 3D barcode 201 , although it will be appreciated that other machine- readable indicia are possible that allow the subsequent entering of the code to be performed quickly and reliably.
  • the secure terminal 20 is configured to control the ticket printer 23 to print onto the ID ticket 200 alongside the 3D barcode 201 , an image of the face of the user 202.
  • this provides an efficient way to allow the user to be satisfied that the ID ticket 200 relates to them and not a different user.
  • the ID ticket 200 is user-portable, and is approximately the size of a credit-card.
  • a user 1 carries their ID ticket 200 with them, presenting it when they desire to uniquely associate a document with them, or rather, their unique set of biometric parameters as will be described.
  • the ID ticket 200 does not actually contain any of the biometric parameters of the users; only a reference to them at the biometric identity register. Thus, the loss or theft of the ID ticket 200 does not compromise the security of the user's biometric details.
  • the user 1 can make use of the document generation terminal 30 to obtain a copy of a document 300 in the form of a prize-draw ticket 300.
  • the user 1 approaches the document generation terminal 30 and interacts with it to formulate a request to generate a document 300.
  • the document generation terminal 30 issues prize-draw tickets 300, and so this interaction involves the user 1 specifying numbers he or she desires to submit into a future prize draw, along with the a selection of which prize-draw the user wishes to enter. For example, if a prize-draw event is held every Saturday, the user 1 will need to specify for which week the prize-draw ticket is an entry.
  • the document generation terminal 30 may comprise a touch- screen display firstly to provide guidance to a user, and secondly to allow the user to interact with the document generation terminal 30 to formulate the specification by picking the appropriate content (e.g. their prize-draw numbers and entry date).
  • the document generation terminal 30 is configured to send the specification to the document registry 60 via the communication network 11.
  • the document registry 60 is configured to receive the document specification and store it together with a corresponding document identity code that uniquely references the document specification stored by the document registry 60.
  • the document registry 60 is further configured to transmit the corresponding document identity code back to the document generation terminal 30.
  • the document generation terminal 300 is configured to receive the document identity code from the document registry 60, and operate the document printer 31 to print a copy of the document 300.
  • the document exhibits the document identity code thereon in a machine-readable format, specifically as a barcode 301. Also exhibited on the printed copy of the document 300 is content from the specification, such as the date 302 of the prize draw event, the selected prize-draw numbers 303 and a timestamp 304 reflecting the time and date the document generation terminal 30 instructed printing of the copy of the document 300.
  • a user 1 may initiate a request for many documents, each with their own specification and unique document identity code. Moreover, such requests may be issued to different document generation terminals. It does not matter whether the user 1 approaches the secure terminal 20 to first obtain an ID ticket 200, or whether the user subsequently approaches the secure terminal 20 after obtaining the document 300 from the document generation terminal 30. In either case, after visiting both the secure terminal 20 and the document generation terminal 30, the user 1 is in possession of an ID ticket 200 bearing his or her user identity code and a document 300 bearing a document identity code. Together, these can be utilised to register the specification of the document 300 against the biometric details of the user 1. To do this, the user approaches the registration terminal 40 with both the ID ticket 200 and the document 300.
  • the registration terminal 40 is configured to process a registration transaction during which the registration terminal operates the scanner 41 to scan the machine-readable codes 201 , 301 of the ID ticket 200 and the document 300 to extract therefrom, respectively, the user identity code and the document identity code.
  • the document registry 60 when receiving the paired codes from the registration terminal 40, the document registry 60 is able to perform a query to determine whether the document identity code already exists therein, and if so, the document registry 60 stores alongside the document identity code (and the specification of the document) the user identity code.
  • the biometric identity registry 50 when receiving the paired codes from the registration terminal 40, the biometric identity registry 50 is able to perform a query to determine whether the user identity code already exists therein, and if so, the biometric identity registry 60 stores the document identity code alongside the user identity code (and the set of biometric parameters unique to that user). It should be further appreciated that the biometric identity registry 50 and the document registry 60 may communicate with one another over a secure communication channel to verify and maintain the integrity and security of the data held by each registry.
  • the user has a choice regarding whether or not to register documents against their biometric data. If the document represents a relatively low value asset, then the user is able to save time by not going through the registration transaction.
  • the registration terminal may be configured to carry out a single registration transaction that involves scanning in multiple documents, and a single ID ticket 200 once for the purpose of registering those multiple documents against a single user without needing to scan in the ID ticket 200 for every document.
  • Another example is where a single user may wish to generate documents as gifts for other users. It is possible to provide those documents as registered gifts, assuming the user has the ID ticket 200 associated with those other users. Friends and families may share ID tickets with one another enabling this function of the system 10.
  • the distribution of a user's ID ticket does not compromise the security of the system 10 as it is possible only to register a document against a user's set of biometric parameters. It is not possible to obtain those biometric parameters (nor any benefit associated with the document as will be described in greater detail below).
  • An analogy is if one has a bank account number, it is only possible to pay money into that bank account - not withdraw money from it.
  • the system 10 is particularly applicable and advantageous where the document has a value, or otherwise relates to an asset which may appreciate in value over time. This is also the case where a user 1 pays submitting a request to generate a document, as is the case for documents in the form of investments, entries into prize- draws or entries into a lottery.
  • the system 10 may further comprise a point-of-sale (POS) terminal configured to conduct a payment transaction.
  • POS point-of-sale
  • the document generation terminal 30 acts as the POS terminal, but it will be appreciated that in alternatives, the POS terminal is separate from the document generation terminal 30. In either case, a successful payment transaction conducted by the POS terminal is communicated to the document generation terminal to authorise document generation.
  • Figure 3 is a schematic diagram of an extension of the system 10 of Figure 1 having a combined document generation terminal and POS terminal connected to the
  • the system 10 further comprises a payment validation authority 70.
  • the POS terminal comprises a payment module 32 arranged to receive a payment from the user.
  • the payment module 32 may comprise a cash input (e.g. a cash or banknote input) and/or a payment card reader input.
  • a cash input e.g. a cash or banknote input
  • payment validation is carried out locally as a result of the collected cash.
  • the payment module 32 is configured to communicate with the payment validation authority 70 to verify the credentials provided on a payment card presented by a user 1.
  • the payment validation authority 70 is configured to transmit a payment validation message to the POS terminal that validates successful payment for generation of the document 300.
  • a successful payment transaction involves receiving payment and the POS terminal including within the specification of the document 300, a reference to a payment value of the payment.
  • the payment value 305 of the printed document 300 is shown to be £1.
  • this information included in the specification of the document can be transmitted to the document registry 60 for storage thereat.
  • a natural additional aspect of the system 10 of the present embodiment is the ability to verify that a user and a document are associated with one another. This can be useful for the purposes of redeeming a document such as a prize-draw ticket.
  • the system 10 supports two ways in which the association between a document and a user can be verified.
  • a high-security, high-cost approach involves re-scanning the biometric characteristics of the user 1
  • a low-security, low-cost approach is to simply rescan the ID ticket 200 along with the document 300.
  • a combination of these two methods may be used, in dependence on the desired operation the verification will lead to, and also the value of that operation. For example, where the verification is for the purposes of paying out winning to the winner of prize totalling more than hundreds of pounds, then the high security approach will be adopted. Conversely, for the redemption of a relatively small prize under £100, a more convenient, low-cost approach will be adopted.
  • the system 10 may comprise an independent verification terminal, it is beneficial to utilise the existing infrastructure of the system 10 as shown in Figure 1.
  • the secure terminal 20 can be used as a verification terminal.
  • the registration terminal 40 can be used as a verification terminal.
  • the system comprises a verification terminal in the form of the secure terminal 20 for verifying the association between the user and the document.
  • the secure terminal comprises a scanner 27, although this is not essential as will be explained below.
  • the verification terminal 20 operates the scanner 27 to scan the machine- readable code of at least the document 300 to extract therefrom the document identity code. Furthermore, the verification terminal 20 derives a set of biometric parameters from the biometric sensors 21 , 22 in a similar manner as already described. The verification terminal is then configured to transmit a verification request to at least one of the document registry 60 and the biometric identity registry 50 (ideally the latter).
  • the verification request 20 comprises the extracted document identity code and the set of biometric parameters unique to that user.
  • the document registry 60 and the biometric identity registry 50 query themselves, and if necessary the other registry to determine whether there is a predetermined link between the document and the biometric parameters of the user that are referred to by the verification request.
  • a verification message is sent to the verification terminal 20 that verifies the predetermined link between the document and the biometric parameters of the user, thereby verifying the association between the user and the document.
  • the biometric details of a user are unique, and highly unsusceptible to spoofing by a malicious third-party, it is not strictly necessary for a user 1 to provide the document identity code for the purposes of verifying association with that document. This is highly beneficial where the printed version of the document 300 has been lost, stolen or destroyed after registration; due to the registration, it is still possible for the user 1 to unambiguously claim association with that document, even if they no longer hold the printed copy of that document 300.
  • the low-security approach utilises the registration terminal as the verification terminal.
  • the biometric characteristics of the user cannot be scanned, it is necessary for a user 1 to provide both the printed document 300 and the ID ticket 200 as de facto proof of association between the document and the user.
  • the ID ticket 200 may be inspected by an administrator to ensure that the image of the face on the ID ticket 200 matches the user attempting to carry out the verification process.
  • the registration terminal 40 acting as a verification terminal 40 may employ an image capture device to perform automatic facial matching of the user 1 and the image of the face on the ID ticket 200.
  • the system 10 comprises a redemption terminal which is configured to conduct a document redemption transaction, a successful document redemption transaction authorising payment to a user of a redemption value associated with the document.
  • a redemption terminal which is configured to conduct a document redemption transaction, a successful document redemption transaction authorising payment to a user of a redemption value associated with the document.
  • an independent redemption terminal may be provided, it is beneficial to make use of the infrastructure of the existing system of Figure 1. Accordingly, as already described in relation to the verification terminal, the secure terminal 20 can act as the redemption terminal for high-security / high value redemption transactions, and the registration terminal can act as the redemption terminal for low-security / low value redemption transactions.
  • redemption is similar to validation.
  • the document registry 60 stores a redemption status associated with a respective document.
  • the redemption terminal also sends a redemption query to the document registry to determine the redemption status associated with that document.
  • the query also includes the appropriate combination of a set of biometric parameters, the document identity code and the user identity code.
  • the document registry is configured to respond to the redemption query to validate the document redemption transaction on the basis of the redemption status (as well as the document identity code, the user identity code and/or the set of biometric parameters). In response to a successful document redemption transaction, the document registry further updates the redemption status associated with that document.
  • Relatively low-value payment may be provided by dispensing of cash.
  • Relatively high- value payment may be provided by electronically transferring the value to a user's registered bank account.
  • the redemption terminal may communicate with a payment validation authority (such as that shown in Figure 3) to carry out such a transfer.
  • Certain documents' redemption values may change over time. For example, if the document represents an financial instrument such as a bond, then the value may increase over time, and it may be redeemable only after a certain date. Similarly, the redemption value of a document may depend on whether certain conditions are fulfilled. In the present example, the document represents an entry into a prize-draw, and the redemption value of the document is dependent on whether a user manages to correctly predict the winning numbers drawn at a specific prize-draw event in the future. Referring specifically to the prize-draw ticket shown in Figure 2, the document was generated on 24 February 2015 for a prize-draw taking place in the future on Saturday 24 February 2016, with the drawn numbers being predicted by the user to be: 01 , 08, 16, 36, 42 and 49.
  • the document registry 60 is able to independently and reliably determine the redemption value of the document specification held by it.
  • the document registry is configured to determine the redemption value associated with the document by comparing at least a portion of the specification of the document with an outcome of an event. This assumes that the document registry has access to information relating to event. Notably, the outcome of the event should be only determined after receipt by the document registry of the specification of the document.
  • the document generation terminal 30 is configured to receive a request to generate a document 300, the request comprising a specification specifying content that references the event, and also a predicted outcome of the event.
  • the document generation terminal 30 is then configured to send the specification to the document registry 60.
  • the specification is held there until the occurrence of the event (or early redemption, if possible, before the event).
  • the document registry 60 is thus configured to determine the redemption value associated with the document by comparing the predicted outcome of the referenced event with the outcome of that event, as defined by the specification associated with that document.
  • Printing onto paper or another suitable flexible substrate is particularly useful as this approach is low-cost, secure, and does not require the user to possess any special hardware.
  • Security can be enhanced by providing the substrate with watermarks or other such markings, and security inks can be used to print onto that substrate that assure the provenance and authenticity of the issuer. Thus, this is a preferred approach of the embodiment described above.
  • the issuance can be in an electronic format.
  • electronic documents, tickets or tokens can be used instead (or in addition to) the printed formats.
  • the user 1 would need to possess, or have access to an electronic device, such as a mobile telecommunications device, that can be configured to receive such electronic documents, tickets or tokens.
  • the user 1 would need to provide the secure terminal 20 and the document generation terminal 30 with a means for accessing that electronic device so that the electronic ID ticket issued by the secure terminal 20, or the electronic document issued by the document generation terminal 30 can be transferred to that electronic device.
  • the user 1 may provide the secure terminal 20 or the document generation terminal 30 with the telephone number of the mobile device, and the electronic ID ticket can be sent to that mobile device as a MMS or SMS text message.
  • the user 1 may provide to the terminals 20, 30, a unique reference to an account held by the user 1 , such as an email address.
  • Such an account should be capable of receiving the data sent by the terminals 20, 30, and allow for at least one of: the forwarding of that data, or the presentation of that data on a display of the mobile device, such that the display of the mobile device emulates what would have been exhibited on a printed ticket.
  • the registration terminal 40 does not need to be modified from that described above, in that it can simply scan, using the scanner 41 , the electronic display of the mobile device to read-in the user identity code and the document identity code which are displayed on the mobile device in machine-readable (barcode) form.
  • a scanner 41 is not required at the registration terminal 40, merely a means for receiving the electronic data forwarded by the mobile device that contains the user identity code, and the document identity code.
  • Transmission to the registration terminal is ideally via a short-range communication channel, such as WiFi, Bluetooth® or NFC, as this improves the security of the transmission.
  • secure communication can be carried out via the communication network 1 1 of the system 10.
  • the biometric identity registry 50 and the document registry 60 may be provided by a single server. Communication between the server and the mobile device of the user over the communication network 1 1 will thus need to be secured, for example by making use of known encryption techniques.
  • the biometric identity registry 50 and the document registry 60 are shown as two separate registries, but they could, in principle, be provided by a single entity or server. Nonetheless, there is an advantage in their separation as this improves the security and the speed of communication between the different components of the system 10 and the performance of the system 10 as a whole.
  • the biometric identity registry 50 contains highly sensitive information relating to the biometric parameters of users, any communication with it, especially relating to such biometric parameters is ideally carried out using a more secure connection than, for example, communication with the document registry 60.
  • a payment validation authority 70 may be part of, or in communication with the system 10 for the purposes of authorising the purchase of documents such as prize draw tickets, and even also for their redemption.
  • this modular arrangement can be even further extended.
  • system 10 may be extended to include an investment registry.
  • This can be configured in a similar way to the document registry 60 (or even be part of the document registry 60), but performs the function of registering the association between the document (or the user) to an investment.
  • the request to generate a document may also comprise a request for an investment into a particular investment, such as a government bond.
  • this request for investment can be specified in the document specification that is sent to the document registry and/or the investment registry.
  • the multifunction document can serve as an entry into a short term event (such as a prize draw) and also a long term event (such as an investment such as a government bond having a maturity date after the prize draw, ideally many years after).
  • a short term event such as a prize draw
  • a long term event such as an investment such as a government bond having a maturity date after the prize draw, ideally many years after.
  • a prize incentive bond can be provided which can, for example, provide a new type of financial investment instrument which is compliant with Sharia'h law for example (and/or other sets of laws or regulations which impose strict limitations on the functional operation of those instruments).
  • the characteristics of the new instrument create difficulties in system implementation which are addressed by the present invention.
  • the new prize incentive bond is based on an appreciation that the financial conditions defined by Sharia'h law can be accommodated in an enhanced long-term investment vehicle which has a short-term marketing aspect associated with it.
  • that short-term marketing concept is an automatically selected or self-selected number-based prize scheme, which can help to market the long-term financial investment vehicle attached to it. This has the advantage of enhancing the attractiveness of the long-term financial investment to the user.
  • the system 10 may comprise an advertisement authority or function in which an advertisement is provided on the document or ID ticket provided to the user. Such an advertisement can assist in financing the operation of the system 10. Additionally, the advertisement can be targeted by using the details acquired by the system 10 about the user. For example, if it is possible to determine from the acquired biometric parameters whether the user 1 is of a particular gender or ethnicity, advertisements of products and services considered to be appropriate to that particular user can be provided in the form of the document or ID ticket that the user 1 is provided with by the secure terminal 20 or the document generator 30. Similarly, the secure terminal 20 or document generator may comprise a positioning module to determine their location.
  • the system 10 may comprise a media provisioning authority or function in which media can be provided on the document or ID ticket.
  • media may include direct media (such as images of collectable characters, recipes, prayers, quotations, visually appealing patterns and the like), and/or such media may include referential media (such as an internet URL to a free movie).
  • Figure 4 shows a flow diagram that expresses a generalised embodiment of the invention in the form of a method or process 100. This elucidates how features of the other embodiments of the invention may be generalised.
  • step 101 biometric characteristics of the user are determined. Ideally, this is via one or more biometric sensors of a secure terminal, but alternatives are possible.
  • step 102 those biometric characteristics are processed to derive a set of biometric parameters unique to that user. Again this is ideally carried out by a processor of a secure terminal, but is should be appreciated that the method does not need to be limited to this. For example, the processing can be performed by a different entity.
  • a user identity code is determined that uniquely references those biometric parameters.
  • This code may be generated as a result of, for example, sending the set of biometric parameters from a secure terminal to a biometric identity registry, which then assigns the code.
  • the method may not necessarily be limited to this, and rather the secure terminal (or whichever entity performs steps 101 and/or 102) may generate the user identity code locally.
  • the user identity code is provided to the user in a format that the user can take away with them - i.e. a user-portable format.
  • a request is received to generate a document.
  • this request is user- initiated.
  • a user may interact with a user-interface of a document generation terminal in order to formulate this request.
  • the specification of the document is included with the request.
  • a document identity code is determined that uniquely references the requested document, and moreover, its specification.
  • This code may be generated as a result of, for example, sending the specification from a document generation terminal to a document registry, which then assigns the code.
  • the method may not necessarily be limited to this, and rather the document generation terminal (or whichever entity performs steps 105 and/or 106) may generate the document identity code locally.
  • step 108 the document identity code is provided to the user in a format that the user can take away with them - i.e. a user-portable format.
  • the set of steps 101 to 104 may take place before or after the set of steps 105 to 108. However both sets need to be completed prior to steps 109 onwards.
  • step 109 the user typically presents, from the respective user-portable formats, the document identity code and the user identity code for input. This is ideally to a registration terminal for the purpose of carrying out a registration transaction but alternatives are possible.
  • step 1 10 the document identity code and the user identity code are paired with one another. Ideally these paired codes are transmitted to a relevant component, system, registry or authority that also manages the set of biometric parameters established in step 102.
  • step 1 11 the paired codes are used to define a link between the document and biometric parameters of the user.
  • step 112 it is possible to validate the existence of such a predetermined link for the purposes of document redemption or validation.
  • Verifying the association between the user and the document may comprise transmitting a verification request comprising the document identity code and at least one of the user identity code and a set of biometric parameters unique to that user. Accordingly a response may be received to the verification request in the form of a verification message that verifies a predetermined link between the document and the biometric parameters of the user, thereby verifying the association between the user and the document.
  • the process 100 described in relation to Figure 4 may also support extensions such as one or more of: • conducting a payment transaction, a successful payment transaction authorising the step 104 of providing the user identity code to the user;
  • redemption transaction authorising payment to a user of a redemption value associated with the document.
  • determining the redemption value associated with the document by comparing at least a portion of the specification of the document with an outcome of an event, the outcome being determined after formulation of the specification of the document.
  • the specification comprises content that references the event, and also a predicted outcome of the event. Accordingly, determining the redemption value associated with the document comprises comparing the predicted outcome of the referenced event with the outcome of that event.
  • the step 104 of providing the user identity code in a user-portable format may comprise printing, at the secure terminal, the user identity code onto an ID ticket.
  • the user identity code may be printed onto the ID ticket in a machine-readable format, such as a 3D barcode.
  • step 105 and/or 106 may comprise generating a document. This may involve generating the document at the document generation terminal in a user-portable format by printing the document. Ideally, the printed document exhibits the document identity code of the document. Again, the document identity code may be exhibited on the printed document in a machine-readable format, such as a barcode.
  • step 109 may comprise scanning the ID ticket and/or printed document to extract therefrom the respective user identity code and/or document identity code to facilitate their input for a registration transaction.
  • an embodiment may reside in providing a terminal which issues a user identification store which is provided with a unique identifier that is associated with the biometric parameters measured of that user and which can be used to access stored biometric information pertaining to that user for user identity verification.
  • the store of biometric information is preferably stored at a central server but in an alternative embodiment, they can be stored in a secure part of the terminal when
  • the unique identifier is typically printed on a ticket or receipt which can then be used for subsequent authentication of the user.
  • the biometric terminal communicates the unique identifier to a central store which it is held together with parameters which relate to the biometric information obtained from the user for use in subsequent authentications of that user.
  • the user goes to an authentication terminal provides their biometric data and their unique identifier. Both the identifier and parameters derived from the biometric data are transmitted to the central server for confirmation of the user's identity. Confirmation enables authentication of the user and access to whatever service they are seeking to use.
  • An automated terminal may be provided that records biometric data such as fingerprints and/or iris information and reads an individualised transaction number (unique number) for a promotional scheme is provided.
  • the customer scans their fingerprint and/or iris at an automated dispensing machine and puts in money to receive a scratch card, for example, that has an entry into a prize draw.
  • the transaction number which is generated can also include an investment instrument of medium-term, as well as the draw card information and also a link to the fingerprint and/or iris information.
  • the individualised investment represented by the card produced can only be accessed once a secondary KYC (Know Your Client) process is carried out, but the cost and time frame of this is reduced as now a simplified identity card either containing biometric information (simply in the form of a picture for visual identification) or not containing biometric information can be inspected by a bank officer and linked with the unique identifier contained in the scratch card/lottery draw card. This would have an individual first price of something in the region of five dollars but would have a section allowing for a reprint of draw numbers/and relevant transaction numbers containing the draw numbers and the investment instrument so that it could be reused many times before second stage KYC was required.
  • a simplified identity card either containing biometric information (simply in the form of a picture for visual identification) or not containing biometric information can be inspected by a bank officer and linked with the unique identifier contained in the scratch card/lottery draw card. This would have an individual first price of something in the region of five dollars but would have a section allowing for a
  • the unique element here is the combination of the relevant file reference (unique identifier) of the fingerprint scan and/or the iris scan so that the individualised (biometric) information would not need to be carried on the card itself thereby greatly reducing its cost and increasing its security.
  • the individualised information would have been transmitted via the automated dispensing terminal to the central site which would then give a transaction number which would be incorporated into the unique identifier printed on the card. Subsequent scans for authentication would be able to refer to this unique transaction number being the file reference and incorporate that into new investment certificate/prize draw transaction numbers. This would substantially reduce the cost of the issued card as now the iris and/or fingerprint information would not need to be contained on a chip in the card which would have increased its price.
  • the second stage KYC would be for the ID document to be presented to the bank officer and the reference number on the scratch card/receipt which would mean that the bank officer would be able to verify the identity of the customer and link his now recorded iris and/or fingerprint to the ID card, where there was no biometric information, or where there was biometric information on the ID card, have their own the biometric information for future transactions.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Collating Specific Patterns (AREA)

Abstract

Methods and systems for securely registering the association between a document and a user are described. Biometric sensors are used to determine biometric characteristics of the user, and from these characteristics, biometric parameters are derived. A user identity code uniquely referencing the set of biometric parameters is provided to the user in a user-portable format. A document generation request includes a specification specifying content of the document, and the specification is uniquely referenced by a document identity code, also provided to the user in a user-portable format. A registration transaction involves receiving from the user and pairing said codes together to define a link between the document and the biometric parameters of the user, and so the user.

Description

Improvements relating to the processing of biometric data Field of the invention The present invention relates to improved methods and systems that utilise the biometric characteristics of a user in authentication of, for example, the association with and access to resources such as documents and assets. The present invention also relates specifically to registering the association between a document and a user via the biometric characteristics of that user. The present invention may also relate to the automated pre-preparation of biometric data.
Background
Certain biometric data such as the patterns of a user's iris, or the ridges of a user's fingers and palms are known to be practically unique to that user. Thus, registering the association between that user's biometric data and a document representing an asset reduces the chance of the theft of that asset, as at a redemption stage, the association between the document and the user can be verified with a high level of certainty by checking that user's biometric characteristics.
However, biometric registration and validation is costly and time-consuming. Accordingly, it can be inappropriate for use with certain documents; especially those have a relatively nominal initial value. Such documents may include banking documents that represent financial instruments (including investment instruments such as bonds), prize-draw tickets, lottery tickets and the like.
Several modern banking systems rely on proprietary biometric cards containing biometric data to validate the true owner of a payment card, such as a credit card. Such biometric data may include finger print parameters, iris scan parameter etc.
The preparation of these biometric cards are undertaken in specific data centres or by authorised bank officers armed with mobile technology to allow a degree of mobile registration. This is a very expensive process which adds to the cost of that card. Each subsequent use of the card requires matching of the biometric data stored on the card with that of the person seeking authentication at a biometric terminal. The advantage is considered to reside in the apparent speed of authentication as the check can be carried out locally. However, with the advent of high-speed data networks, this is becoming less of an issue. One serious disadvantage of this process is that the biometric data is provided on the card and if the card is lost or stolen the biometric data can be decrypted form the card and a user's identity can become compromised. Alternatively identity swapping can be carried out in that the forgers biometric data can be substituted for that card thereby bypassing any security of the card. Also, the relatively high cost has acted as a bar to mass use of such technology. The current aspect of the present invention seeks to address at least some of these problems.
More specifically, it is desirable to reduce the cost of this enrolment process in order to increase substantially the numbers of users who can be enrolled into such schemes. This would provide a degree of encouragement to entice unbanked users or under banked users into inclusion within the electronic authentication process possibly opening up the previously inaccessible banking facilities domain to them.
In more detail, an aspect of the present invention seeks to speed up, reduce the cost of, and improve the security relating to associating a document with a user.
Summary of the invention
Accordingly, a first aspect of the present invention provides a system for securely registering the association between a document and a user. Ideally, the system comprises at least one of: a secure terminal; a biometric identity registry for storing a set of biometric characteristics of the user; a document generation terminal; a document registry for storing a specification of the document; and a registration terminal. The secure terminal may comprise at least one biometric sensor. The secure terminal may comprise a processor. The secure terminal may comprise a user identity provisioning means such as a ticket printer. The ticket printer may be arranged to print an ID ticket. The document generation terminal may comprise a document identity provisioning means such as a document printer for printing a copy of the document. The registration terminal may comprise an input means such as a scanner for scanning the document and the ID ticket. Preferably, the secure terminal is configured, in use, to operate the at least one biometric sensor to determine biometric characteristics of the user. The secure terminal may process using the processor those determined biometric characteristics to derive a set of biometric parameters unique to that user. The secure terminal may be further configured, in use, to securely transmit the set of biometric parameters to the biometric identity registry.
The biometric identity registry may be configured, in use, to receive the set of biometric parameters and store it together with a corresponding user identity code. The biometric identity registry may generate the user identity code. Preferably, the user identity code uniquely references the set of biometric parameters stored by the biometric identity registry. The biometric identity registry may be further configured to, in response to the receipt of the set of biometric parameters from the secure terminal, transmit the corresponding user identity code to the secure terminal.
Ideally, the secure terminal is further configured, in use, to receive the user identity code from the biometric identity registry, and operate the ticket printer to print the received user identity code on to a user-portable ID ticket. The user identity code is ideally exhibited on the ID ticket in a machine-readable format.
The document generation terminal may be configured, in use, to receive a request to generate a document, the request comprising a specification. Ideally, the specification specifies the content of the document. The document generation terminal may be arranged to send the specification to the document registry.
The document registry may be configured, in use, to receive the document specification and store it together with a corresponding document identity code that uniquely references the document specification stored by the document registry. The document registry may be further configured to transmit the corresponding document identity code to the document generation terminal.
The document generation terminal may be configured, in use, to receive the document identity code from the document registry, and operate the document printer to print a copy of the document exhibiting the document identity code thereon in a machine- readable format. Ideally, the registration terminal is configured, in use, to process a registration transaction during which the registration terminal operates the scanner to scan the machine-readable codes of the ID ticket and the document to extract therefrom, respectively, the user identity code and the document identity code. Processing of the registration transaction by the registration terminal may further comprise pairing together the extracted codes, and transmitting said paired codes to an entity such as at least one of the biometric identity registry and the document registry so as to define a link between the document and the biometric parameters of the user.
Advantageously, a user does not necessarily need to have their biometric characteristics scanned every time a document is associated with that user. This, in turn, means that the system can be made more secure, and more respectful of a user's right to privacy; there is a far reduced chance of a fraudulent third party spoofing or intercepting the biometric characteristics of that user. Also, as a result, it is possible for the present system to be deployed at lower expense, in that the relatively expensive biometric scanners need only be provided on the secure terminal, and do not need to be provided at the document generation terminal, nor the registration terminal. Furthermore, a single secure terminal can support many tens or even hundreds of document generation terminals and registration terminals without an appreciable slow-down in the registration process, but realising an appreciable cost saving.
The system may further comprise a verification terminal for verifying the association between the user and the document. Ideally, the verification terminal comprises a scanner for scanning the document and the ID ticket. Ideally the verification terminal is configured, in use, to: operate the scanner to scan the machine-readable code of at least the document to extract therefrom the document identity code; determine at least one of the user identity code and a set of biometric parameters unique to that user; and/or transmit a verification request to at least one of the document registry and the biometric identity registry, the verification request comprising the document identity code and at least one of the user identity code and the set of biometric parameters unique to that user. Moreover, at least one of the document registry and the biometric identity registry may be configured, in response to receiving the verification request, to: determine whether there is a predetermined link between the document and the biometric parameters of the user that are referred to by the verification request; and/or otherwise transmit to the verification terminal, a verification message verifying a predetermined link between the document and the biometric parameters of the user, thereby verifying the association between the user and the document. The verification terminal may comprise at least one biometric sensor and a processor. The verification terminal may be configured, in use, to determine the set of biometric parameters unique to the user by operating the at least one biometric sensor to determine biometric characteristics of the user. Ideally, using the processor, the verification terminal may be arranged to process those determined biometric
characteristics to derive the set of biometric parameters. Thus, the verification request may comprise the derived set of biometric parameters.
Accordingly, it can be beneficial for the processor of the verification terminal, and the processor of the secure terminal to each use a function that derives matching sets of biometric parameters from biometric characteristics of the same user.
Ideally, secure terminal further comprises an image capture device. Ideally, this is positioned and arranged to capturing an image of the face of the user. Accordingly, the secure terminal is ideally configured, in use, to: operate the image capture device to capture an image of the face of the user; and operate the ticket printer to print the image of the face of the user on to the user-portable ID ticket together with the user identity code. Advantageously, this allows a user to easily see who a printed ticket is associated with. Ideally, at least one of the biometric sensors of the secure terminal comprises an iris scanner positioned and arranged to capture an iris image of the iris of the user, the iris image being of a quality sufficient to allow the processor to derive, from that iris image, the set of biometric parameters unique to that user. Advantageously, the iris scanner and the image capture device may be positioned relative to one another on the secure terminal and configured to enable the secure terminal to capture the image of the face of the user and also the iris image from the same position of the face of the user relative to the secure terminal. In other words, the user doesn't need to move their face to allow the secure terminal to capture images of both the face and iris of that user, saving time. Ideally, the system further comprises a POS terminal configured, in use, to conduct a payment transaction, a successful payment transaction being communicated to the document generation terminal to authorise document generation. The POS terminal may comprise a payment module arranged to receive a payment from a user, the successful payment transaction comprising receiving the payment. The POS terminal may be further configured, in use, to communication for inclusion within the specification of the document, a reference to a payment value of the payment. Ideally, the system further comprises a payment validation authority in communication with the POS terminal. The payment validation authority is ideally configured, in use, to transmit a payment validation message to the POS terminal that validates successful payment for generation of the document. Ideally, the system may further comprise a redemption terminal configured, in use, to conduct a document redemption transaction, a successful document redemption transaction authorising payment to a user of a redemption value associated with the document. Ideally, the document registry stores a redemption status associated with a respective document.
Preferably, the redemption terminal comprises a scanner for scanning the document and the ID ticket. Ideally, the redemption terminal is configured, in use, to: operate the scanner to scan the machine-readable code of at least the document to extract therefrom the document identity code; determine at least one of the user identity code and a set of biometric parameters unique to that user; and send a query to the document registry to determine the redemption status associated with that document, the query including the extracted document identity code and the at least one of the user identity code and the set of biometric parameters. Accordingly, the document registry may be configured, in use, to respond to the query to: validate the document redemption transaction on the basis of the redemption status, the document identity code, and at least one of the user identity code and the set of biometric parameters; and update the redemption status associated with that document in response to a successful document redemption transaction. It should be noted that the "storage" of data by an entity (such as the document registry) may be the same as that entity otherwise having access to that data, for example via a secured communication network. The document registry may be configured, in use, to determine the redemption value associated with the document by: comparing at least a portion of the specification of the document with an outcome of an event, the outcome being determined after receipt by the document registry of the specification of the document. Timestamps may be used to verify such chronology.
The document generation terminal may be configured, in use, to receive a request to generate a document, the request comprising a specification specifying content that references the event, and also a predicted outcome of the event, the document generation terminal being arranged to send the specification to the document registry.
Accordingly, the document registry may be configured, in use, to determine the redemption value associated with the document by comparing the predicted outcome of the referenced event with the outcome of that event, as defined by the specification associated with that document.
It should be noted that the component parts of the system may constitute further aspects of the invention. For example, further aspects of the invention may reside in at least one of: a secure terminal, a processor, a ticket printer, an ID ticket, a biometric identity registry, a document generation terminal, a document printer, a printed copy of a document, a document registry, a specification of a document, a registration terminal, a scanner, a verification terminal, an image capture device, a biometric scanner, an iris scanner, a fingerprint/hand scanner, a POS terminal, a payment module, a payment validation authority and a redemption terminal. Such components are ideally arranged or configured for use with a system according to the first aspect of the present invention.
However, it should be understood that they may be functionally compatible with a second aspect of the present invention which provides a method of securely registering the association between a document and a user. The method may comprise at least one of: determining (ideally at a secure terminal) using at least one biometric sensor, biometric characteristics of the user;
processing (ideally at the secure terminal), the determined biometric characteristics to derive a set of biometric parameters unique to that user;
securely transmitting the set of biometric parameters (ideally from the secure terminal to a biometric identity registry for storage at the biometric identity registry) , and in response receiving (ideally at the secure terminal from the biometric identity registry) a user identity code that uniquely references the set of biometric parameters stored by the biometric identity registry;
providing (ideally via the secure terminal), the user identity code in a user- portable format;
receiving, (ideally at a document generation terminal), a request to generate a document, the request comprising a specification specifying content of the document;
sending the specification (ideally from the document generation terminal to a document registry for storage at the document registry), and in response receiving (ideally at the document generation terminal from the document registry) a document identity code that uniquely references the document specification (ideally stored by the document registry);
generating the document (ideally at the document generation terminal), in a user-portable format, the generated document including the document identity code; and
processing, (ideally at a registration terminal), a registration transaction for registering the association between the document and the user, the registration transaction comprising:
inputting the document identity code and the user identity code;
pairing the document identity code with the user identity code; and transmitting those paired codes - ideally to at least one of the biometric identity registry and the document registry - so as to define a link between the document and the biometric parameters of the user.
Thus, it is clear that advantages of the first aspect of the present invention can also apply to the second aspect, and vice-versa. For example, advantageously, a terminal (or other entity) not having a biometric sensor can instead receive a reference to that biometric data, and this can be used to register document or other assets. This is useful for low- cost deployment and minimising the chance of personal biometric data being stolen. Ideally, the method comprises verifying the association between the user and the document. This may involve transmitting (ideally via a verification terminal), a verification request. This may be to at least one of the document registry and the biometric identity registry. In any case, the verification request ideally comprising the document identity code and at least one of the user identity code and a set of biometric parameters unique to that user. Verification may also involve receiving in response to the verification request (ideally from at least one of the document registry and the biometric identity registry), a verification message verifying a predetermined link between the document and the biometric parameters of the user, thereby verifying the association between the user and the document.
The method may further comprise conducting a payment transaction, ideally at a POS terminal. Ideally, a successful payment transaction authorises the step of generating the document, for example at the document generation terminal. The payment transaction may comprise receiving a payment, a payment value of which is referenced by the specification. Conducting the payment transaction may comprise receiving (e.g. at the POS terminal) from a payment validation authority a payment validation message that validates successful payment for generation of the document.
The method may comprise conducting a document redemption transaction, such as at a redemption terminal. Ideally, a successful document redemption transaction authorises payment to a user of a redemption value associated with the document. A redemption status may be stored, for example at the document registry. Ideally, the redemption status is associated with a respective document, and the document redemption transaction comprises at least one of: sending a redemption query (ideally to the document registry) to determine the redemption status associated with that document, the query including at least one of: the document identity code, the user identity code and a set of biometric parameters unique to that user; validating the document redemption transaction on the basis of the redemption status and the at least one of: the document identity code, the user identity code and set of biometric parameters; and updating the redemption status associated with that document (ideally at the document registry) in response to a successful document redemption transaction. Ideally, the method further comprises determining the redemption value associated with the document by comparing at least a portion of the specification of the document (ideally held by the document registry) with an outcome of an event. Ideally, the outcome is determined after document generation, or after receipt by the document registry of the specification of the document.
Ideally, the specification included with the request to generate a document comprises content that references the event, and also a predicted outcome of the event, and determining the redemption value associated with the document comprises comparing the predicted outcome of the referenced event with the outcome of that event.
Providing the user identity code in a user-portable format may comprises printing, e.g. at the secure terminal, the user identity code onto an ID ticket. The user identity code may be printed onto the ID ticket in a machine-readable format, such as a barcode.
Generating the document at the document generation terminal in a user-portable format may comprise printing the document, the printed document exhibiting the document identity code of the document. Ideally, the document identity code is exhibited on the printed document in a machine-readable format, such as a barcode.
The method may further comprise scanning, e.g. at the registration terminal, the ID ticket and/or printed document to extract therefrom the respective user identity code and/or document identity code to facilitate their input for the registration transaction. It will be appreciated that features and advantages of the different aspects of the present invention may be combined or substituted where context allows. Furthermore, it should be appreciated that any feature or advantage described or referenced herein, for example associated with aspects or embodiments of the invention, may independently constitute further aspects of the present invention, or may be combined with such aspects.
Brief description of the drawings
Embodiments of the invention will now be described, by way of example, with reference to the accompanying drawings in which: Figure 1 is a schematic diagram of an overview of a system according to a first embodiment of the present invention;
Figure 2 is a schematic diagram of a document, in the form of a prize-draw ticket for use with the system shown in Figure 1 ;
Figure 3 is a schematic diagram of an extension to the system of Figure 1 ; and
Figure 4 shows a flow diagram of a process that is a generalised version of the first embodiment of the present invention.
Specific description
Figure 1 shows a system 10 according to a first embodiment of the present invention. The system 10 is shown in overview in Figure 1 , and so, in the interests of clarity, not all the components of the system 10 are shown.
The system 10 comprises a secure terminal 20, a document generation terminal 30, a registration terminal 40, a biometric identity registry 50 and a document registry 60. The system 10 also comprises a communications network 1 1 that enables communication between these system components, and others those not shown in Figure 1 , but as will be described in greater detail below.
For the avoidance of doubt, it should be noted here that at least the main components of the system 10 (namely the terminals and the registries) are computerised and so have access to computing resources required for them to carry out the functions described herein. For example, such computing resources may include processors for processing data, communication modules for communication with other computerised components, databases for data storage and user-interfaces to allow data to be presented to, and received from users. Moreover, if certain components of the system 10 are described herein to be arranged or configured to carry out a function, it will be appreciated that those components are likely to be carrying out that function automatically via the execution of a computer program. However, for the purposes of clarity such features have not been shown in the drawings for every component of the system 10. The secure terminal 20 comprises a plurality of biometric sensors, namely an iris scanner 21 for capturing an iris image of the iris of a user 1 and a fingerprint and palm scanner 22 for capturing a fingerprint and palm image of the hand of the user 1. The secure terminal 20 also comprises a ticket printer 23 for printing an ID ticket 200, and an image capture device 24 for capturing an image of the face of the user 1. The secure terminal also comprises other components such as a processor 25.
The document generation terminal 30 comprises a document printer 31 for printing a copy of a document 300 in the form of a prize-draw ticket 300.
The registration terminal 40 comprises a scanner 41 for scanning the document 300 printed by the document printer 31 at the document generation terminal 30 and also the ID ticket 200 printed by the ticket printer 23 at the secure terminal 20. Specifically, the scanner 41 is arranged to scan the respective barcodes exhibited on the printed ID ticket 200 and document 300.
In summary, the terminals 20, 30, 40, the biometric identity registry, and the document registry of the system 10 interact with one another that allows an association between the user 1 and the document 300 to be securely registered in a way that is quicker, less expensive and more secure than prior known systems, especially for documents which represent assets (such as prize-draw tickets 300) for which it is beneficial to uniquely associate with the biometric data of their rightful owner.
One of the ways that the present system is quicker than prior known systems relates to the fact that a user does not necessarily need to have their biometric characteristics scanned every time that user wishes to associate themselves with a document. This, in turn, means that the system can be made more secure, and more respectful of a user's right to privacy; there is a far reduced chance of a fraudulent third party spoofing or intercepting the biometric characteristics of that user.
Also, as a result, it is possible for the present system to be deployed at lower expense, in that the relatively expensive biometric scanners 21 , 22 need only be provided on the secure terminal 20, and do not need to be provided at the document generation terminal 30, nor the registration terminal 40. Furthermore, a single secure terminal 20 can support many tens or even hundreds of document generation terminals 30 and registration terminals 40 without an appreciable slow-down in the registration process, but realising an appreciable cost saving.
The operation of the system 10 that results in these and other advantages will now be summarised.
Typically, a user 1 wishing to use the system 10 approaches the secure terminal 20. The secure terminal 20 is configured to operate the biometric sensors - namely the iris scanner 21 and the fingerprint and palm scanner 22 so as to determine the biometric characteristics of the user. The user 1 may be instructed via a display screen 26 of the secure terminal about where to stand, where to position his or her face and hands and so forth. At the same time as scanning the iris of the user, the secure terminal also operates the image capture device 24 to capture an image of the face of the user. The iris scanner 21 and the image capture device 24 are arranged relative to one another to enable the images of both the iris and the face of the user to be captured substantially simultaneously (or otherwise without requiring the user 1 to move or face towards independent face and iris capture devices). This speeds up the operation of the system 10 as a whole. To this end, it will be noted that the iris scanner 21 and the image capture device 24 may be mounted on or be part of the same device, and may even share components such as CCDs, lenses or the like, thereby reducing further the cost of the system 10 as a whole.
The biometric characteristics of the user 1 are then processed by a processor 25 of the secure terminal 20 to derive a set of biometric parameters unique to that user 1.
To increase the reliability of the biometric parameters, the biometric characteristics of the user 1 may be taken many times, with the different instances checked against one another. Moreover, the biometric parameters may be taken under different conditions, again to increase the reliability of the biometric parameters. For example, the secure terminal 20 may take a scan of the iris from different angles, and under different lighting conditions to ensure the key patterns of the iris persist across all conditions, and so are likely to be detected again when checking the biometric identity of a user 1. To this end, the secure terminal may comprise a plurality of light sources of different wavelengths and/or positioned at different locations that are activated sequentially in order to capture a sequence of different images of the user's iris. Each image can be analysed with another in the sequence to determine what the key patterns of the iris are. Similarly, the sequence of comparable images may those that have been taken through different lenses each having a different viewpoint of the iris. The set of biometric characteristics are then securely transmitted over the
communication network 11 to the biometric identity registry 50 for storage thereat. To this end, the biometric characteristics are encrypted prior to transmission. The use of public-private key encryption between the biometric identity registry 50 and the secure terminal 20 is particularly useful.
The biometric identity registry 50 is configured to receive the set of biometric parameters and store it together with a corresponding user identity code. The biometric identity registry 50 may assign the user identity code at random, or determine the user identity code by hashing one or more biometric parameters. Ideally, a combination of these two methods is used to allow the system to benefit from the security of a randomly assigned code at the same time as benefitting from the integrity of a code that is derivable from the biometric parameters. In any case, the resulting user identity code against which the set of biometric parameters is stored is unique. The biometric identity registry 50 is then configured to respond to the secure terminal 20 by sending to it the user identity code.
The secure terminal 20 is configured to receive the user identity code from the biometric identity registry 50, and operate the ticket printer 23 to print the received user identity code on to a user-portable ID ticket 200. Moreover, the user identity code is exhibited on the ID ticket 200 as a 3D barcode 201 , although it will be appreciated that other machine- readable indicia are possible that allow the subsequent entering of the code to be performed quickly and reliably. In addition, the secure terminal 20 is configured to control the ticket printer 23 to print onto the ID ticket 200 alongside the 3D barcode 201 , an image of the face of the user 202. Advantageously, this provides an efficient way to allow the user to be satisfied that the ID ticket 200 relates to them and not a different user. Thus, in the subsequent use of the ID ticket for registration, as will be described, there is far greater chance that the user will realise if the correct ID ticket isn't being used - for example, if the user's ID ticket has been substituted with a different ID ticket (which will show the image of a different person).
The ID ticket 200 is user-portable, and is approximately the size of a credit-card.
Accordingly, it is intended that a user 1 carries their ID ticket 200 with them, presenting it when they desire to uniquely associate a document with them, or rather, their unique set of biometric parameters as will be described.
It should be noted that the ID ticket 200 does not actually contain any of the biometric parameters of the users; only a reference to them at the biometric identity register. Thus, the loss or theft of the ID ticket 200 does not compromise the security of the user's biometric details.
Either before, or after utilising the secure terminal 20 to obtain a ID ticket 200, the user 1 can make use of the document generation terminal 30 to obtain a copy of a document 300 in the form of a prize-draw ticket 300.
To do this, the user 1 approaches the document generation terminal 30 and interacts with it to formulate a request to generate a document 300. In the present embodiment, the document generation terminal 30 issues prize-draw tickets 300, and so this interaction involves the user 1 specifying numbers he or she desires to submit into a future prize draw, along with the a selection of which prize-draw the user wishes to enter. For example, if a prize-draw event is held every Saturday, the user 1 will need to specify for which week the prize-draw ticket is an entry.
Thus, these and other specified details are content that forms the basis of a specification of the document to be generated.
In certain embodiments, the document generation terminal 30 may comprise a touch- screen display firstly to provide guidance to a user, and secondly to allow the user to interact with the document generation terminal 30 to formulate the specification by picking the appropriate content (e.g. their prize-draw numbers and entry date).
When the document specification is finalised, the document generation terminal 30 is configured to send the specification to the document registry 60 via the communication network 11. The document registry 60 is configured to receive the document specification and store it together with a corresponding document identity code that uniquely references the document specification stored by the document registry 60. The document registry 60 is further configured to transmit the corresponding document identity code back to the document generation terminal 30.
It will be appreciated that this is similar to the interaction between the biometric identity registry 50 and the secure terminal 20, and similar features and advantages can apply to both sets of interactions. For example, it is preferred that communications at least between terminals and registries are secured by encryption protocols. Also the generation of codes such as the user identity code and the document identity code by their respective registries are subject to the appropriate security and integrity measures. In any case, the document generation terminal 300 is configured to receive the document identity code from the document registry 60, and operate the document printer 31 to print a copy of the document 300.
Referring to Figure 2, which shows an enlarged view of the printer document 300, the document exhibits the document identity code thereon in a machine-readable format, specifically as a barcode 301. Also exhibited on the printed copy of the document 300 is content from the specification, such as the date 302 of the prize draw event, the selected prize-draw numbers 303 and a timestamp 304 reflecting the time and date the document generation terminal 30 instructed printing of the copy of the document 300.
It should be noted that a user 1 may initiate a request for many documents, each with their own specification and unique document identity code. Moreover, such requests may be issued to different document generation terminals. It does not matter whether the user 1 approaches the secure terminal 20 to first obtain an ID ticket 200, or whether the user subsequently approaches the secure terminal 20 after obtaining the document 300 from the document generation terminal 30. In either case, after visiting both the secure terminal 20 and the document generation terminal 30, the user 1 is in possession of an ID ticket 200 bearing his or her user identity code and a document 300 bearing a document identity code. Together, these can be utilised to register the specification of the document 300 against the biometric details of the user 1. To do this, the user approaches the registration terminal 40 with both the ID ticket 200 and the document 300. The registration terminal 40 is configured to process a registration transaction during which the registration terminal operates the scanner 41 to scan the machine-readable codes 201 , 301 of the ID ticket 200 and the document 300 to extract therefrom, respectively, the user identity code and the document identity code.
These codes are paired together by the registration terminal 40 and then securely transmitted to either or both the biometric identity registry 50 and the document registry 60 so as to define a link between the document and the biometric parameters of the user.
Specifically, when receiving the paired codes from the registration terminal 40, the document registry 60 is able to perform a query to determine whether the document identity code already exists therein, and if so, the document registry 60 stores alongside the document identity code (and the specification of the document) the user identity code. Similarly, when receiving the paired codes from the registration terminal 40, the biometric identity registry 50 is able to perform a query to determine whether the user identity code already exists therein, and if so, the biometric identity registry 60 stores the document identity code alongside the user identity code (and the set of biometric parameters unique to that user). It should be further appreciated that the biometric identity registry 50 and the document registry 60 may communicate with one another over a secure communication channel to verify and maintain the integrity and security of the data held by each registry.
Advantageously, the user has a choice regarding whether or not to register documents against their biometric data. If the document represents a relatively low value asset, then the user is able to save time by not going through the registration transaction.
Furthermore, this allows documents to be generated by a user anonymously.
It should also be appreciated that separating document generation from registration is useful in other ways.
For example, a user may wish to generate and register a large number of documents, and may employ several helpers to assist with this process. It is possible to do so by deploying the helpers to different document generation terminals, and then - after all the printed documents have been collected together - register them in a batch process. Specifically, the registration terminal may be configured to carry out a single registration transaction that involves scanning in multiple documents, and a single ID ticket 200 once for the purpose of registering those multiple documents against a single user without needing to scan in the ID ticket 200 for every document.
Another example is where a single user may wish to generate documents as gifts for other users. It is possible to provide those documents as registered gifts, assuming the user has the ID ticket 200 associated with those other users. Friends and families may share ID tickets with one another enabling this function of the system 10.
As mentioned previously, the distribution of a user's ID ticket does not compromise the security of the system 10 as it is possible only to register a document against a user's set of biometric parameters. It is not possible to obtain those biometric parameters (nor any benefit associated with the document as will be described in greater detail below). An analogy is if one has a bank account number, it is only possible to pay money into that bank account - not withdraw money from it.
Naturally, the system 10 is particularly applicable and advantageous where the document has a value, or otherwise relates to an asset which may appreciate in value over time. This is also the case where a user 1 pays submitting a request to generate a document, as is the case for documents in the form of investments, entries into prize- draws or entries into a lottery. To this end, the system 10 may further comprise a point-of-sale (POS) terminal configured to conduct a payment transaction. In the present embodiment, the document generation terminal 30 acts as the POS terminal, but it will be appreciated that in alternatives, the POS terminal is separate from the document generation terminal 30. In either case, a successful payment transaction conducted by the POS terminal is communicated to the document generation terminal to authorise document generation.
Figure 3 is a schematic diagram of an extension of the system 10 of Figure 1 having a combined document generation terminal and POS terminal connected to the
communication network 1 1 of the system 10. In the interests of clarity, the other components of the system are not shown in Figure 3, but it should be understood that they are present, or at least available via the communication network 1 1. Here, the system 10 further comprises a payment validation authority 70.
The POS terminal comprises a payment module 32 arranged to receive a payment from the user. The payment module 32 may comprise a cash input (e.g. a cash or banknote input) and/or a payment card reader input. In the former case, payment validation is carried out locally as a result of the collected cash. In the latter case, the payment module 32 is configured to communicate with the payment validation authority 70 to verify the credentials provided on a payment card presented by a user 1. Specifically, the payment validation authority 70 is configured to transmit a payment validation message to the POS terminal that validates successful payment for generation of the document 300.
A successful payment transaction involves receiving payment and the POS terminal including within the specification of the document 300, a reference to a payment value of the payment. Referring to Figure 2, the payment value 305 of the printed document 300 is shown to be £1. Moreover, this information included in the specification of the document can be transmitted to the document registry 60 for storage thereat. A natural additional aspect of the system 10 of the present embodiment is the ability to verify that a user and a document are associated with one another. This can be useful for the purposes of redeeming a document such as a prize-draw ticket.
To strike a balance between security and convenience, the system 10 supports two ways in which the association between a document and a user can be verified. In summary, a high-security, high-cost approach involves re-scanning the biometric characteristics of the user 1 , and a low-security, low-cost approach is to simply rescan the ID ticket 200 along with the document 300. In practice, a combination of these two methods may be used, in dependence on the desired operation the verification will lead to, and also the value of that operation. For example, where the verification is for the purposes of paying out winning to the winner of prize totalling more than hundreds of pounds, then the high security approach will be adopted. Conversely, for the redemption of a relatively small prize under £100, a more convenient, low-cost approach will be adopted. Whilst the system 10 may comprise an independent verification terminal, it is beneficial to utilise the existing infrastructure of the system 10 as shown in Figure 1. Thus, for the high-security approach, the secure terminal 20 can be used as a verification terminal. For the low-security approach, the registration terminal 40 can be used as a verification terminal.
More specifically, for the high-security approach, the system comprises a verification terminal in the form of the secure terminal 20 for verifying the association between the user and the document. To act as a verification terminal, the secure terminal comprises a scanner 27, although this is not essential as will be explained below.
In use, the verification terminal 20 operates the scanner 27 to scan the machine- readable code of at least the document 300 to extract therefrom the document identity code. Furthermore, the verification terminal 20 derives a set of biometric parameters from the biometric sensors 21 , 22 in a similar manner as already described. The verification terminal is then configured to transmit a verification request to at least one of the document registry 60 and the biometric identity registry 50 (ideally the latter).
The verification request 20 comprises the extracted document identity code and the set of biometric parameters unique to that user. On receipt of this request, the document registry 60 and the biometric identity registry 50 query themselves, and if necessary the other registry to determine whether there is a predetermined link between the document and the biometric parameters of the user that are referred to by the verification request.
If there is a predetermined link, a verification message is sent to the verification terminal 20 that verifies the predetermined link between the document and the biometric parameters of the user, thereby verifying the association between the user and the document.
As the biometric details of a user are unique, and highly unsusceptible to spoofing by a malicious third-party, it is not strictly necessary for a user 1 to provide the document identity code for the purposes of verifying association with that document. This is highly beneficial where the printed version of the document 300 has been lost, stolen or destroyed after registration; due to the registration, it is still possible for the user 1 to unambiguously claim association with that document, even if they no longer hold the printed copy of that document 300. Similarly, the low-security approach utilises the registration terminal as the verification terminal. Here, as the biometric characteristics of the user cannot be scanned, it is necessary for a user 1 to provide both the printed document 300 and the ID ticket 200 as de facto proof of association between the document and the user.
In such a verification approach, the ID ticket 200 may be inspected by an administrator to ensure that the image of the face on the ID ticket 200 matches the user attempting to carry out the verification process. Alternatively, the registration terminal 40, acting as a verification terminal 40 may employ an image capture device to perform automatic facial matching of the user 1 and the image of the face on the ID ticket 200.
Advantageously, this means that if a user's printed document 300 and ID ticket 200 are stolen together, that user is to some degree protected from unauthorised third party redemption of the user's document. Nonetheless, for additional protection, a subsequent reapplication by a user at the secure terminal 20 can invalidate a previously-valid user identity code stored at the biometric identity registry. This will completely render the stolen ID document 200 unusable.
In alternatives, where a high-security approach is adopted with a verification terminal different from the secure terminal 20 (or simply a different secure terminal), it is beneficial to ensure that the same user generates the same set of biometric parameters, despite the differences in terminal, environment, or even age of the user. Whilst certain biometric characteristics, such as iris patterns, remain relatively stable over time, and under different conditions, it is still important to account for any variations that may occur to avoid false-negative matches. At the very least, it can be crucial to ensure that the processor of the verification terminal, and the processor of the secure terminal each use a function that derives matching sets of biometric parameters from biometric
characteristics of the same user. Assuming successful validation of an association between a user and a document, it may then be possible to redeem an appropriate document.
To this end, the system 10 comprises a redemption terminal which is configured to conduct a document redemption transaction, a successful document redemption transaction authorising payment to a user of a redemption value associated with the document. Again, whilst an independent redemption terminal may be provided, it is beneficial to make use of the infrastructure of the existing system of Figure 1. Accordingly, as already described in relation to the verification terminal, the secure terminal 20 can act as the redemption terminal for high-security / high value redemption transactions, and the registration terminal can act as the redemption terminal for low-security / low value redemption transactions.
In this regard, redemption is similar to validation. However, to support the redemption transaction, the document registry 60 stores a redemption status associated with a respective document. Thus, the redemption terminal also sends a redemption query to the document registry to determine the redemption status associated with that document.
Depending on whether a high or low security approach is being used, the query also includes the appropriate combination of a set of biometric parameters, the document identity code and the user identity code.
For redemption, the document registry is configured to respond to the redemption query to validate the document redemption transaction on the basis of the redemption status (as well as the document identity code, the user identity code and/or the set of biometric parameters). In response to a successful document redemption transaction, the document registry further updates the redemption status associated with that document.
Relatively low-value payment may be provided by dispensing of cash. Relatively high- value payment may be provided by electronically transferring the value to a user's registered bank account. To this end, the redemption terminal may communicate with a payment validation authority (such as that shown in Figure 3) to carry out such a transfer.
Certain documents' redemption values may change over time. For example, if the document represents an financial instrument such as a bond, then the value may increase over time, and it may be redeemable only after a certain date. Similarly, the redemption value of a document may depend on whether certain conditions are fulfilled. In the present example, the document represents an entry into a prize-draw, and the redemption value of the document is dependent on whether a user manages to correctly predict the winning numbers drawn at a specific prize-draw event in the future. Referring specifically to the prize-draw ticket shown in Figure 2, the document was generated on 24 February 2015 for a prize-draw taking place in the future on Saturday 24 February 2016, with the drawn numbers being predicted by the user to be: 01 , 08, 16, 36, 42 and 49.
As the date 302 of the prize draw event, the selected prize-draw numbers 303 and the timestamp 304 for date of document generation form part of the specification of the document that is sent to the document registry, the document registry 60 is able to independently and reliably determine the redemption value of the document specification held by it.
Thus, in general terms, the document registry is configured to determine the redemption value associated with the document by comparing at least a portion of the specification of the document with an outcome of an event. This assumes that the document registry has access to information relating to event. Notably, the outcome of the event should be only determined after receipt by the document registry of the specification of the document.
More specifically, to place this into the context of the system 10 as a whole, the document generation terminal 30 is configured to receive a request to generate a document 300, the request comprising a specification specifying content that references the event, and also a predicted outcome of the event. The document generation terminal 30 is then configured to send the specification to the document registry 60. The specification is held there until the occurrence of the event (or early redemption, if possible, before the event).
The document registry 60 is thus configured to determine the redemption value associated with the document by comparing the predicted outcome of the referenced event with the outcome of that event, as defined by the specification associated with that document.
It will be appreciated by a person skilled in the art that the principles taught in reference to the system 10 according to a first embodiment of the present invention may be generalised, modified or expanded where context allows. For example, ID tickets 200 and documents 300 are shown in the system to be made available to users in a printed format.
Printing onto paper or another suitable flexible substrate is particularly useful as this approach is low-cost, secure, and does not require the user to possess any special hardware. Security can be enhanced by providing the substrate with watermarks or other such markings, and security inks can be used to print onto that substrate that assure the provenance and authenticity of the issuer. Thus, this is a preferred approach of the embodiment described above.
However, other user-portable formats are also possible, and have different advantages which may be useful in different contexts. For example, it is possible to replace the printers of the system 10 described above with different provisioning means, such as electronic provisioning means.
Thus, rather than issue to a user an ID ticket or document printed on paper, the issuance can be in an electronic format. Specifically, electronic documents, tickets or tokens can be used instead (or in addition to) the printed formats. In such an alternative, the user 1 would need to possess, or have access to an electronic device, such as a mobile telecommunications device, that can be configured to receive such electronic documents, tickets or tokens. In such a scenario, the user 1 would need to provide the secure terminal 20 and the document generation terminal 30 with a means for accessing that electronic device so that the electronic ID ticket issued by the secure terminal 20, or the electronic document issued by the document generation terminal 30 can be transferred to that electronic device.
For example, the user 1 may provide the secure terminal 20 or the document generation terminal 30 with the telephone number of the mobile device, and the electronic ID ticket can be sent to that mobile device as a MMS or SMS text message. Alternatively, the user 1 may provide to the terminals 20, 30, a unique reference to an account held by the user 1 , such as an email address. Such an account should be capable of receiving the data sent by the terminals 20, 30, and allow for at least one of: the forwarding of that data, or the presentation of that data on a display of the mobile device, such that the display of the mobile device emulates what would have been exhibited on a printed ticket. In the latter case, the registration terminal 40 does not need to be modified from that described above, in that it can simply scan, using the scanner 41 , the electronic display of the mobile device to read-in the user identity code and the document identity code which are displayed on the mobile device in machine-readable (barcode) form.
In the former case, where the mobile device is arranged to forward the data in electronic format, a scanner 41 is not required at the registration terminal 40, merely a means for receiving the electronic data forwarded by the mobile device that contains the user identity code, and the document identity code. Transmission to the registration terminal is ideally via a short-range communication channel, such as WiFi, Bluetooth® or NFC, as this improves the security of the transmission. However, in alternatives, secure communication can be carried out via the communication network 1 1 of the system 10. Accordingly, in such an electronically-implemented embodiment of the invention, it should be noted that once a user 1 has interacted in person with the secure terminal 20, it is thereafter possible for the user 1 to request generation of a document, and conduct the registration of that document remotely with communications between the user 1 and the document generation terminal 30 and the registration terminal 40 being via the communication network 1 1. A user 1 will not necessarily need to be present unless the redemption of a high-value document requires the user to revisit the secure terminal 20 or the like to rescan their biometric characteristics.
Thus, it should be noted that, in such an implementation, at least two of the document generation terminal 30, the registration terminal 40, the biometric identity registry 50 and the document registry 60 may be provided by a single server. Communication between the server and the mobile device of the user over the communication network 1 1 will thus need to be secured, for example by making use of known encryption techniques. Referring back to the embodiment shown in Figure 1 , as a general point, the biometric identity registry 50 and the document registry 60 are shown as two separate registries, but they could, in principle, be provided by a single entity or server. Nonetheless, there is an advantage in their separation as this improves the security and the speed of communication between the different components of the system 10 and the performance of the system 10 as a whole. Specifically, as the biometric identity registry 50 contains highly sensitive information relating to the biometric parameters of users, any communication with it, especially relating to such biometric parameters is ideally carried out using a more secure connection than, for example, communication with the document registry 60.
Furthermore, their separation also enables maintenance to be carried out on one of the registries without affecting the other.
Additionally, the modular arrangement of the registries can be extended to accommodate other functions and extensions of the system 10. As already mentioned in relation to Figure 3, a payment validation authority 70 may be part of, or in communication with the system 10 for the purposes of authorising the purchase of documents such as prize draw tickets, and even also for their redemption. However, this modular arrangement can be even further extended.
For example, the system 10 may be extended to include an investment registry. This can be configured in a similar way to the document registry 60 (or even be part of the document registry 60), but performs the function of registering the association between the document (or the user) to an investment.
In particular, the request to generate a document may also comprise a request for an investment into a particular investment, such as a government bond. Again, this request for investment can be specified in the document specification that is sent to the document registry and/or the investment registry.
Notably, it is possible for a document to be generated that is multifunctional, in that it relates to multiple requests. In the present example, the multifunction document can serve as an entry into a short term event (such as a prize draw) and also a long term event (such as an investment such as a government bond having a maturity date after the prize draw, ideally many years after). The advantages of such a multifunctional document or ticket are detailed by the Applicant in International Publication Number WO 2009/019602 the contents of which are hereby incorporated by reference to the extent permitted by the relevant law. In particular, a prize incentive bond can be provided which can, for example, provide a new type of financial investment instrument which is compliant with Sharia'h law for example (and/or other sets of laws or regulations which impose strict limitations on the functional operation of those instruments). The characteristics of the new instrument create difficulties in system implementation which are addressed by the present invention. The new prize incentive bond is based on an appreciation that the financial conditions defined by Sharia'h law can be accommodated in an enhanced long-term investment vehicle which has a short-term marketing aspect associated with it. Typically, that short-term marketing concept is an automatically selected or self-selected number-based prize scheme, which can help to market the long-term financial investment vehicle attached to it. This has the advantage of enhancing the attractiveness of the long-term financial investment to the user. Other extensions are also possible. For example, the system 10 may comprise an advertisement authority or function in which an advertisement is provided on the document or ID ticket provided to the user. Such an advertisement can assist in financing the operation of the system 10. Additionally, the advertisement can be targeted by using the details acquired by the system 10 about the user. For example, if it is possible to determine from the acquired biometric parameters whether the user 1 is of a particular gender or ethnicity, advertisements of products and services considered to be appropriate to that particular user can be provided in the form of the document or ID ticket that the user 1 is provided with by the secure terminal 20 or the document generator 30. Similarly, the secure terminal 20 or document generator may comprise a positioning module to determine their location. These positioning modules can provide data to the advertisement authority or function such that the subsequent advertisement provided is tailored to the location of the user when interacting with the secure terminal 20 or document generator 30. By way of additional extension, the system 10 may comprise a media provisioning authority or function in which media can be provided on the document or ID ticket. Such media may include direct media (such as images of collectable characters, recipes, prayers, quotations, visually appealing patterns and the like), and/or such media may include referential media (such as an internet URL to a free movie). The provision of such media on a document or ticket provided to the user can make the acquisition of such a document more appealing to the user (and so serves as a marketing function), or otherwise enhances the intrinsic perceived value of the document to the user 1 , minimising the chance that the document or ticket will be discarded or lost (and so serves as a way of improving the security of the document and system 10 as a whole). Further extensions and alternatives are also possible. To appreciate this, a generalised functional embodiment of the invention will now be described.
Figure 4 shows a flow diagram that expresses a generalised embodiment of the invention in the form of a method or process 100. This elucidates how features of the other embodiments of the invention may be generalised.
In step 101 , biometric characteristics of the user are determined. Ideally, this is via one or more biometric sensors of a secure terminal, but alternatives are possible.
In step 102, those biometric characteristics are processed to derive a set of biometric parameters unique to that user. Again this is ideally carried out by a processor of a secure terminal, but is should be appreciated that the method does not need to be limited to this. For example, the processing can be performed by a different entity.
In step 103, a user identity code is determined that uniquely references those biometric parameters. This code may be generated as a result of, for example, sending the set of biometric parameters from a secure terminal to a biometric identity registry, which then assigns the code. However, it will be appreciated that the method may not necessarily be limited to this, and rather the secure terminal (or whichever entity performs steps 101 and/or 102) may generate the user identity code locally.
In step 104, the user identity code is provided to the user in a format that the user can take away with them - i.e. a user-portable format.
In step 105, a request is received to generate a document. Ideally, this request is user- initiated. By way of example, a user may interact with a user-interface of a document generation terminal in order to formulate this request. In step 106, the specification of the document is included with the request.
In step 107, a document identity code is determined that uniquely references the requested document, and moreover, its specification. This code may be generated as a result of, for example, sending the specification from a document generation terminal to a document registry, which then assigns the code. However, it will be appreciated that the method may not necessarily be limited to this, and rather the document generation terminal (or whichever entity performs steps 105 and/or 106) may generate the document identity code locally.
In step 108, the document identity code is provided to the user in a format that the user can take away with them - i.e. a user-portable format.
It should be noted that the set of steps 101 to 104 may take place before or after the set of steps 105 to 108. However both sets need to be completed prior to steps 109 onwards.
In step 109, the user typically presents, from the respective user-portable formats, the document identity code and the user identity code for input. This is ideally to a registration terminal for the purpose of carrying out a registration transaction but alternatives are possible.
In step 1 10, the document identity code and the user identity code are paired with one another. Ideally these paired codes are transmitted to a relevant component, system, registry or authority that also manages the set of biometric parameters established in step 102.
In step 1 11 , the paired codes are used to define a link between the document and biometric parameters of the user.
Accordingly, in step 112, it is possible to validate the existence of such a predetermined link for the purposes of document redemption or validation.
Verifying the association between the user and the document may comprise transmitting a verification request comprising the document identity code and at least one of the user identity code and a set of biometric parameters unique to that user. Accordingly a response may be received to the verification request in the form of a verification message that verifies a predetermined link between the document and the biometric parameters of the user, thereby verifying the association between the user and the document. The process 100 described in relation to Figure 4 may also support extensions such as one or more of: • conducting a payment transaction, a successful payment transaction authorising the step 104 of providing the user identity code to the user;
• receiving a payment, a payment value of which may be referenced by the
specification;
• receiving a payment validation message that validates successful payment for the step 104 of providing the user identity code to the user;
• conducting a document redemption transaction, a successful document
redemption transaction authorising payment to a user of a redemption value associated with the document.
• sending a redemption query to determine a redemption status associated with the document, the query including at least one of: the document identity code, the user identity code and a set of biometric parameters unique to that user;
• validating a document redemption transaction on the basis of a redemption status and the at least one of: the document identity code, the user identity code and set of biometric parameters;
• updating the redemption status associated with that document in response to a successful document redemption transaction; and
• determining the redemption value associated with the document by comparing at least a portion of the specification of the document with an outcome of an event, the outcome being determined after formulation of the specification of the document. Ideally the specification comprises content that references the event, and also a predicted outcome of the event. Accordingly, determining the redemption value associated with the document comprises comparing the predicted outcome of the referenced event with the outcome of that event.
It will be appreciated that features of this generalised embodiment may be combined or substituted with the first embodiment described in relation to Figure 1. For example, the step 104 of providing the user identity code in a user-portable format may comprise printing, at the secure terminal, the user identity code onto an ID ticket. Moreover, the user identity code may be printed onto the ID ticket in a machine-readable format, such as a 3D barcode. Also, step 105 and/or 106 may comprise generating a document. This may involve generating the document at the document generation terminal in a user-portable format by printing the document. Ideally, the printed document exhibits the document identity code of the document. Again, the document identity code may be exhibited on the printed document in a machine-readable format, such as a barcode. Furthermore, step 109 may comprise scanning the ID ticket and/or printed document to extract therefrom the respective user identity code and/or document identity code to facilitate their input for a registration transaction.
Other embodiments of the invention may be provided.
For example, an embodiment may reside in providing a terminal which issues a user identification store which is provided with a unique identifier that is associated with the biometric parameters measured of that user and which can be used to access stored biometric information pertaining to that user for user identity verification. The store of biometric information is preferably stored at a central server but in an alternative embodiment, they can be stored in a secure part of the terminal when
telecommunications channels from the terminal to a central server may be too slow for a point of sale user experience. The unique identifier is typically printed on a ticket or receipt which can then be used for subsequent authentication of the user. The biometric terminal communicates the unique identifier to a central store which it is held together with parameters which relate to the biometric information obtained from the user for use in subsequent authentications of that user. In a later authentication procedure, the user goes to an authentication terminal provides their biometric data and their unique identifier. Both the identifier and parameters derived from the biometric data are transmitted to the central server for confirmation of the user's identity. Confirmation enables authentication of the user and access to whatever service they are seeking to use. By having only a unique identifier provided on the ticket, not only is the cost of the ticket/slip/card reduced significantly but also the security is enhanced. This is because it is no longer possible to substitute the identity of the legitimate user with a fraudster's identity. Also the current aspect of the present invention is far more secure than Chip and PIN as a stolen identity card, for example, makes no difference to the security of the user and 'shoulder surfing' does not compromise the security of the device. An automated terminal may be provided that records biometric data such as fingerprints and/or iris information and reads an individualised transaction number (unique number) for a promotional scheme is provided. The customer scans their fingerprint and/or iris at an automated dispensing machine and puts in money to receive a scratch card, for example, that has an entry into a prize draw. The transaction number which is generated can also include an investment instrument of medium-term, as well as the draw card information and also a link to the fingerprint and/or iris information.
The individualised investment represented by the card produced can only be accessed once a secondary KYC (Know Your Client) process is carried out, but the cost and time frame of this is reduced as now a simplified identity card either containing biometric information (simply in the form of a picture for visual identification) or not containing biometric information can be inspected by a bank officer and linked with the unique identifier contained in the scratch card/lottery draw card. This would have an individual first price of something in the region of five dollars but would have a section allowing for a reprint of draw numbers/and relevant transaction numbers containing the draw numbers and the investment instrument so that it could be reused many times before second stage KYC was required. The unique element here is the combination of the relevant file reference (unique identifier) of the fingerprint scan and/or the iris scan so that the individualised (biometric) information would not need to be carried on the card itself thereby greatly reducing its cost and increasing its security. The individualised information would have been transmitted via the automated dispensing terminal to the central site which would then give a transaction number which would be incorporated into the unique identifier printed on the card. Subsequent scans for authentication would be able to refer to this unique transaction number being the file reference and incorporate that into new investment certificate/prize draw transaction numbers. This would substantially reduce the cost of the issued card as now the iris and/or fingerprint information would not need to be contained on a chip in the card which would have increased its price.
In this incarnation, the second stage KYC would be for the ID document to be presented to the bank officer and the reference number on the scratch card/receipt which would mean that the bank officer would be able to verify the identity of the customer and link his now recorded iris and/or fingerprint to the ID card, where there was no biometric information, or where there was biometric information on the ID card, have their own the biometric information for future transactions.

Claims

Claims
1. A system for securely registering the association between a document and a user, the system comprising: a secure terminal comprising at least one biometric sensor, a processor and a ticket printer for printing an ID ticket;
a biometric identity registry for storing a set of biometric characteristics of the user;
a document generation terminal comprising a document printer for printing a copy of the document;
a document registry for storing a specification of the document; and
a registration terminal comprising a scanner for scanning the document and the ID ticket; wherein
the secure terminal is configured, in use, to operate the at least one biometric sensor to determine biometric characteristics of the user and process using the processor those determined biometric characteristics to derive a set of biometric parameters unique to that user, the secure terminal being further configured, in use, to securely transmit the set of biometric parameters to the biometric identity registry;
the biometric identity registry is configured, in use, to receive the set of biometric parameters and store it together with a corresponding user identity code, the user identity code uniquely referencing the set of biometric parameters stored by the biometric identity registry, the biometric identity registry being further configured to, in response to the receipt of the set of biometric parameters from the secure terminal, transmit the corresponding user identity code to the secure terminal;
the secure terminal is further configured, in use, to receive the user identity code from the biometric identity registry, and operate the ticket printer to print the received user identity code on to a user-portable ID ticket, the user identity code being exhibited on the ID ticket in a machine-readable format;
the document generation terminal is configured, in use, to receive a request to generate a document, the request comprising a specification specifying content of the document, the document generation terminal being arranged to send the specification to the document registry;
the document registry is configured, in use, to receive the document specification and store it together with a corresponding document identity code that uniquely references the document specification stored by the document registry, the document registry being further configured to transmit the corresponding document identity code to the document generation terminal;
the document generation terminal being configured, in use, to receive the document identity code from the document registry, and operate the document printer to print a copy of the document exhibiting the document identity code thereon in a machine- readable format; and
the registration terminal is configured, in use, to process a registration transaction during which the registration terminal operates the scanner to scan the machine- readable codes of the ID ticket and the document to extract therefrom, respectively, the user identity code and the document identity code, the processing of the registration transaction by the registration terminal further comprising pairing together the extracted codes, and transmitting said paired codes to at least one of the biometric identity registry and the document registry so as to define a link between the document and the biometric parameters of the user.
The system of claim 1 , further comprising a verification terminal for verifying the association between the user and the document, wherein;
the verification terminal comprises a scanner for scanning the document and the ID ticket, and is configured, in use, to:
operate the scanner to scan the machine-readable code of at least the document to extract therefrom the document identity code;
determine at least one of the user identity code and a set of biometric parameters unique to that user; and
transmit a verification request to at least one of the document registry and the biometric identity registry, the verification request comprising the document identity code and at least one of the user identity code and the set of biometric parameters unique to that user; and at least one of the document registry and the biometric identity registry are configured, in response to receiving the verification request, to:
determine whether there is a predetermined link between the document and the biometric parameters of the user that are referred to by the verification request; and
transmit to the verification terminal, a verification message verifying a predetermined link between the document and the biometric parameters of the user, thereby verifying the association between the user and the document.
3. The system of claim 2, wherein the verification terminal comprises at least one biometric sensor and a processor, and is configured, in use, to determine the set of biometric parameters unique to the user by operating the at least one biometric sensor to determine biometric characteristics of the user and processing using the processor those determined biometric characteristics to derive the set of biometric parameters; and
the verification request comprises the set of biometric parameters.
4. The system of claim 3, wherein the processor of the verification terminal, and the processor of the secure terminal each use a function that derives matching sets of biometric parameters from biometric characteristics of the same user.
5. The system of any preceding claim, wherein the secure terminal further
comprises an image capture device positioned and arranged to capturing an image of the face of the user; the secure terminal being configured, in use, to: operate the image capture device to capture an image of the face of the user; and operate the ticket printer to print the image of the face of the user on to the user-portable ID ticket together with the user identity code.
6. The system of claim 5, wherein at least one of the biometric sensors of the
secure terminal comprises an iris scanner positioned and arranged to capture an iris image of the iris of the user, the iris image being of a quality sufficient to allow the processor to derive, from that iris image, the set of biometric parameters unique to that user; and
the iris scanner and the image capture device are positioned relative to one another on the secure terminal and configured to enable the secure terminal to capture the image of the face of the user and also the iris image from the same position of the face of the user relative to the secure terminal.
7. The system of any preceding claim further comprising a POS terminal configured, in use, to conduct a payment transaction, a successful payment transaction being communicated to the document generation terminal to authorise document generation.
. The system of claim 7, wherein the POS terminal comprises a payment module arranged to receive a payment from a user, the successful payment transaction comprising receiving the payment, the POS terminal being further configured, in use, to communication for inclusion within the specification of the document, a reference to a payment value of the payment.
. The system of claim 7 or 8, further comprising a payment validation authority in communication with the POS terminal, the payment validation authority being configured, in use, to transmit a payment validation message to the POS terminal that validates successful payment for generation of the document.
0. The system of any preceding claim, further comprising a redemption terminal configured, in use, to conduct a document redemption transaction, a successful document redemption transaction authorising payment to a user of a redemption value associated with the document.
1. The system of claim 10, wherein: the document registry stores a redemption status associated with a respective document; the redemption terminal comprises a scanner for scanning the document and the ID ticket, and is configured, in use, to:
operate the scanner to scan the machine-readable code of at least the document to extract therefrom the document identity code;
determine at least one of the user identity code and a set of biometric parameters unique to that user; and
send a query to the document registry to determine the redemption status associated with that document, the query including the extracted document identity code and the at least one of the user identity code and the set of biometric parameters; and the document registry is configured, in use, to respond to the query to: validate the document redemption transaction on the basis of the redemption status, the document identity code, and at least one of the user identity code and the set of biometric parameters; and
update the redemption status associated with that document in response to a successful document redemption transaction.
12. The system of claim 10 or claim 11 , wherein the document registry is configured, in use, to determine the redemption value associated with the document by:
comparing at least a portion of the specification of the document with an outcome of an event, the outcome being determined after receipt by the document registry of the specification of the document.
13. The system of claim 12, wherein: the document generation terminal is configured, in use, to receive a request to generate a document, the request comprising a specification specifying content that references the event, and also a predicted outcome of the event, the document generation terminal being arranged to send the specification to the document registry; and the document registry is configured, in use, to determine the redemption value associated with the document by comparing the predicted outcome of the referenced event with the outcome of that event, as defined by the specification associated with that document.
14. At least one of: a secure terminal, a processor, a ticket printer, an ID ticket, a biometric identity registry, a document generation terminal, a document printer, a printed copy of a document, a document registry, a specification of a document, a registration terminal, a scanner, a verification terminal, an image capture device, a biometric scanner, an iris scanner, a fingerprint/hand scanner, a POS terminal, a payment module, a payment validation authority and a redemption terminal; arranged or configured for use with a system according any one of claims 1 to 13
15. A method of securely registering the association between a document and a user, the method comprising: determining, at a secure terminal using at least one biometric sensor, biometric characteristics of the user;
processing, at the secure terminal, the determined biometric
characteristics to derive a set of biometric parameters unique to that user;
securely transmitting the set of biometric parameters from the secure terminal to a biometric identity registry for storage at the biometric identity registry, and in response receiving at the secure terminal from the biometric identity registry a user identity code that uniquely references the set of biometric parameters stored by the biometric identity registry;
providing, via the secure terminal, the user identity code in a user-portable format;
receiving, at a document generation terminal, a request to generate a document, the request comprising a specification specifying content of the document;
sending the specification from the document generation terminal to a document registry for storage at the document registry, and in response receiving at the document generation terminal from the document registry a document identity code that uniquely references the document specification stored by the document registry;
generating the document, at the document generation terminal, in a user- portable format, the generated document including the document identity code; and
processing, at a registration terminal, a registration transaction for registering the association between the document and the user, the registration transaction comprising:
inputting the document identity code and the user identity code; pairing the document identity code with the user identity code; and transmitting those paired codes to at least one of the biometric identity registry and the document registry so as to define a link between the document and the biometric parameters of the user.
16. The method of claim 15, further comprising verifying the association between the user and the document, the method comprising:
transmitting via a verification terminal, a verification request to at least one of the document registry and the biometric identity registry, the verification request comprising the document identity code and at least one of the user identity code and a set of biometric parameters unique to that user; and
receiving in response to the verification request from at least one of the document registry and the biometric identity registry, a verification message verifying a predetermined link between the document and the biometric parameters of the user, thereby verifying the association between the user and the document.
17. The method of claim 15 or claim 16, further comprising conducting a payment transaction at a POS terminal, a successful payment transaction authorising the step of generating the document at the document generation terminal.
18. The method of claim 17, wherein the payment transaction comprises receiving a payment, a payment value of which is referenced by the specification.
19. The method of claim 17 or 18, wherein conducting the payment transaction at the POS terminal comprises receiving at the POS terminal from a payment validation authority a payment validation message that validates successful payment for generation of the document.
20. The method of any preceding claim, further comprising conducting a document redemption transaction at a redemption terminal, a successful document redemption transaction authorising payment to a user of a redemption value associated with the document.
21. The method of claim 20, wherein a redemption status is stored at the document registry, the redemption status being associated with a respective document, and the document redemption transaction comprises:
sending a redemption query to the document registry to determine the redemption status associated with that document, the query including at least one of: the document identity code, the user identity code and a set of biometric parameters unique to that user;
validating the document redemption transaction on the basis of the redemption status and the at least one of: the document identity code, the user identity code and set of biometric parameters; and updating the redemption status associated with that document at the document registry in response to a successful document redemption transaction.
22. The method of claim 20 or claim 21 , further comprising determining the
redemption value associated with the document by comparing at least a portion of the specification of the document held by the document registry with an outcome of an event, the outcome being determined after receipt by the document registry of the specification of the document.
23. The method of claim 22, wherein the specification included with the request to generate a document comprises content that references the event, and also a predicted outcome of the event, and determining the redemption value associated with the document comprises comparing the predicted outcome of the referenced event with the outcome of that event.
24. The method of any preceding claim, wherein providing the user identity code in a user-portable format comprises printing, at the secure terminal, the user identity code onto an ID ticket.
25. The method of claim 24, wherein the user identity code is printed onto the ID ticket in a machine-readable format, such as a barcode.
26. The method of any preceding claim, wherein generating the document at the document generation terminal in a user-portable format comprises printing the document, the printed document exhibiting the document identity code of the document.
27. The method of claim 26, wherein the document identity code is exhibited on the printed document in a machine-readable format, such as a barcode.
28. The method of any one of claims 24 to 27, further comprising scanning, at the registration terminal, the ID ticket and/or printed document to extract therefrom the respective user identity code and/or document identity code to facilitate their input for the registration transaction.
PCT/GB2015/050528 2014-02-24 2015-02-24 Improvements relating to the processing of biometric data WO2015124956A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB1403207.2 2014-02-24
GBGB1403207.2A GB201403207D0 (en) 2014-02-24 2014-02-24 Automated pre-preparation of biometric data

Publications (1)

Publication Number Publication Date
WO2015124956A1 true WO2015124956A1 (en) 2015-08-27

Family

ID=50482691

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2015/050528 WO2015124956A1 (en) 2014-02-24 2015-02-24 Improvements relating to the processing of biometric data

Country Status (2)

Country Link
GB (1) GB201403207D0 (en)
WO (1) WO2015124956A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060265281A1 (en) * 2005-04-26 2006-11-23 Sprovieri Joseph J Computer system for facilitating the use of coupons for electronic presentment and processing
WO2009019602A2 (en) 2007-08-03 2009-02-12 Ralph Mahmoud Omar A system and a method of handling a multifunction transaction
AU2012227330A1 (en) * 2006-05-09 2012-10-18 Ticketmaster Apparatus for access control and processing
US20120317639A1 (en) * 2011-06-08 2012-12-13 Johnson Huang Biometric data system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060265281A1 (en) * 2005-04-26 2006-11-23 Sprovieri Joseph J Computer system for facilitating the use of coupons for electronic presentment and processing
AU2012227330A1 (en) * 2006-05-09 2012-10-18 Ticketmaster Apparatus for access control and processing
WO2009019602A2 (en) 2007-08-03 2009-02-12 Ralph Mahmoud Omar A system and a method of handling a multifunction transaction
US20120317639A1 (en) * 2011-06-08 2012-12-13 Johnson Huang Biometric data system

Also Published As

Publication number Publication date
GB201403207D0 (en) 2014-04-09

Similar Documents

Publication Publication Date Title
CN106412041B (en) System for connecting mobile terminal with service providing equipment and service providing method
US8799088B2 (en) System and method for verifying user identity information in financial transactions
CN100588156C (en) Method and apparatus for providing electronic message authentication
TWI511518B (en) Improvements relating to multifunction authentication systems
US20130087612A1 (en) Method and devices for the production and use of an identification document that can be displayed on a mobile device.
CN102713920A (en) A personalized multifunctional access device possessing an individualized form of authenticating and controlling data exchange
CN110192213A (en) Biological characteristic transaction system
CN103282929A (en) Mobile phone atm processing methods and systems
AU2010260031A1 (en) Internet and mobile technologies based secured lottery system and method
US20090321515A1 (en) Vending Machine for Alcohol with Means to Verify
EP3042349A1 (en) Ticket authorisation
US8905304B1 (en) System and method for processing certified or registered mail
GB2506421A (en) Electronic receipt
JP6898536B1 (en) Identity verification system, identity verification method, information processing terminal, and program
EP4046093B1 (en) A digital, personal and secure electronic access permission
WO2015114460A2 (en) Improvements relating to activating transaction cards
JP7221425B2 (en) Authentication system, authentication method, and program
WO2015124956A1 (en) Improvements relating to the processing of biometric data
KR101867865B1 (en) System for issuing manless security card and method using the same
EP2495705A1 (en) Secure personal identification
US20240185247A1 (en) Authentication system, authentication method and program
JP6167671B2 (en) Image forming apparatus, program, and examination system
JP7190081B1 (en) Authentication system, authentication method, and program
KR102300754B1 (en) Living related method management method according to offile transaction, information transmitting apparauts for managing the same living related method, justification verificartion method regarding the offilne transaction, and infortmation transmitting apparatus for proceeding the justification verificartion
KR20170054980A (en) Method of vertifying user using user identification card and terminal performing the same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15716108

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15716108

Country of ref document: EP

Kind code of ref document: A1