WO2019063852A1

WO2019063852A1 - Improved multi-factor user authentication using biometric/biotechnological features

Info

Publication number: WO2019063852A1
Application number: PCT/ES2017/070636
Authority: WO
Inventors: Jose Antonio ENRIQUE SALPICO
Original assignee: Tecteco Security Systems, S.L.
Priority date: 2017-09-27
Filing date: 2017-09-27
Publication date: 2019-04-04

Abstract

The present invention relates to a method, system and device for the identification of users accessing a communication network (or generally speaking any service provider) by means of an electronic device. Said identification is based on the use of several user biometric/biotechnological markers and on the use of electronic device identifiers. Said identification mechanism can be used for the authentication of users in a communication network or in a service provider network, securing, customizing, universalizing, and generally, improving existing authentication mechanisms.

Description

AUTHENTICATION MULTI-FACTOR OF USERS FOR IMPROVED BIOMETRIC / BIOTECHNOLOGICAL TRAITS

DESCRIPTION

TECHNICAL FIELD OF THE INVENTION

The present invention has its application within the telecommunications sector and, especially, it refers to the access of users to a communications network, by means of equipment (electronic devices). More specifically, the invention described herein concerns a method, device and system that incorporates improvement mechanisms (especially security both from the point of view of computer security and information) in the authentication of users in a communication network ( or generally speaking in a service provider), allowing the identification, authentication and verification between people and electronic devices, using biometric technologies or, more generally speaking, biotechnological.

BACKGROUND OF THE INVENTION

The human being has felt the need to protect access by unwanted individuals to private places or personal information. In this way, from the dangers of cybersecurity, the development of various techniques to avoid undue access to private data that must be protected. In a society like the current one, called the information society, security is a fundamental issue, given that fundamental aspects of daily life are based on the use of confidential information of great importance such as bank account numbers, business information, access to certain private information sources and a host of applications that imply the need to maintain a restricted access of people. For this reason arises the need to develop systems whose function is to preserve the security of the individual when accessing this private information. In addition, service providers are expanding out of traditional revenue streams and investing in security, while demanding higher levels of collateral in all transactions related to the service. However, identity assertion is often weak: in most cases, the individual creates their own identity credentials - a username and password - and the service provider can do little to verify the identity of the individual to which they belong. This can leave both individuals and service providers open to identity theft and fraud. For a long time, more complex cryptographic algorithms have been developed, allowing to carry out all the information exchange processes more or less reliably; In addition, to ensure security in communications networks, users (or subscribers) of such networks must be authenticated before allowing them access to the network (the use of the network to communicate inside or outside the network) and various procedures that provide efficient and reliable authentication. However, none of the processes developed to date guarantees that analogous and inverse processes can not be configured to decode the information in progress although this requires a great deal of time and complexity.

Therefore, the current lines of research seek to ensure that this security is not fictitious but that it remains through techniques such as, for example, biometrics and quantum cryptography. The latter is studied in an exclusively theoretical field to date and biometrics, although it is a reality in practice today, is used mainly for access control in other fields such as home automation, border control ....

Biometrics can be defined as a set of automated methods that analyze certain human characteristics to identify and authenticate people, taking advantage of the fact that there are certain characteristics (also called traits) biological or behavioral singular and inalterable in each person, so they can be analyzed and mediated to create a biometric realization. These characteristics are difficult to lose, transfer or forget and are enduring in the time. In a few words, biometrics makes it possible to identify an individual not because of what he or she possesses or knows, but because of what it is.

The features or biometric characteristics must meet five basic concepts or pillars such as Universality (every individual must have these biometric characteristics), Uniqueness (different people must have differentiated biometric characteristics), Permanence (the feature must be invariable in time), Perennity (the trait must be permanent in the long term) and measurability (the trait must be able to be characterized quantitatively).

Biometrics distinguishes two groups of biometric features physiological (also called morphological) and behavioral. The biometric, morphological or physiological features are those that are understood of physical characteristics unalterable and present in most human beings such as voice, face, iris, fingerprint, geometry of the hand, etc. Biometric behavioral traits are those that are based on parameters of human behavior such as keystrokes, signature dynamics, etc.

Despite the multitude of biometric modalities that have been documented in the literature, not all meet or are viable for certain applications, this implies that when developing an automatic recognition system should be made a study of the environment in which it is going to work to be able to choose the most suitable biometric feature. The description of some of the main biometric features (this is just a non-limiting example and many other biometric features can be used) are:

Voice: It is a combination of physical and behavioral characteristics. The physical characteristics of each individual's speech remain unchanged, but behavioral characteristics change over time and are influenced by age, medical conditions or the person's mood. The main disadvantages of this feature are its low distinctiveness and the ease with which it can be supplanted.

Face: The face is probably the most used biometric feature in human recognition between individuals and is a method of non-invasive recognition Approaches to facial recognition are well based on the location and shape of facial attributes such as eyes, nose, lips, etc.

Iris: It is highly distinctive to poop one of the two eyes of each individual. Its capture requires participation by the individual, since it must be located at a predetermined distance from the sensor.

Fingerprint: It has been used as a method of identifying individuals for several centuries in police and forensic environments. A footprint attracts a set of valleys and ridges that are captured by pressing your finger against a sensor.

DNA: It is a unique code for each individual, except in the case of identical twins (monozygotic). Currently, it is the most common method in forensic applications for people recognition, but it has certain limitations in automatic recognition applications. The factors that limit its use in this type of applications are the ease to steal this biometric feature.

Retinal scan: The vascular structure of the retina is assumed to be different for each individual and each eye. It is the safest biometric feature because of its difficulty in duplicating it. But its capture requires the cooperation of the individual and contact with the sensor, so that acceptability on the part of the individual is seriously affected. In addition, it may reveal certain medical conditions.

A biometric system is constituted by a pattern recognizer whose mode of operation is as follows; It captures a biometric feature, extracts a set of characteristics and compares them with various stored patterns to decide about the identity of the individual. It can be said, therefore, that biometric systems provide an identification mechanism that is usually aimed at providing security to a resource, such as authentication in a communications network (detection of users with authorized / unauthorized access).

A communication network and, in general, any system that needs security, whether or not it uses biometric information, can be subject to a series of attacks. Some of the main types of attacks are: - Spoofing attacks are aimed at obtaining illicit access to a resource. The type of attack consists in supplanting the identity of a user with access to the desired resource. There are several variants of the attack depending on the point of the architecture to which they are directed, the most common way to carry out this attack is through synthetic copies of biometric data of the individual. The main objective of the attacker is to obtain access to the biometric data of the individual and to make a synthetic copy of the obtained data. As an example we can find an individual of the Social Security, who, mediated synthetic copies of fingerprints, falsified the presence of other users in the workplace.

- The biometric obfuscation was aimed at falsifying and masking the biometric data, before or after the acquisition of these by the system, to prevent the system from recognizing the individual. The consequences of an obfuscation attack can be as or more serious than those of an impersonation attack. The main objective of the attacker is the physical alteration of their own biometric data either by deterioration or by means of surgery and / or the use of impersonation techniques to impersonate an individual and obfuscate their own identity. This second methodology also includes the use of synthetic data to obfuscate identity.

- denial of service attack whose objective is aimed at delaying, stopping or degrading the system. This type of attacks prevents legitimate users from accessing the system normally. This malfunction of the system can be used by the attacker to carry out a secondary attack of impersonation or obfuscation or to carry out a secondary attack of extortion. The methodology for executing this type of attack is usually the insertion of a large amount of data that would lower the acceptance threshold and, consequently, increase the false positive rate. In this case, the secondary attack may correspond to an impersonation attack, since biometric samples that are not licit could be accepted as licitations by the system. It must be considered that the systems traditional are more easily attacked (mocked) than a biometric system.

- By conspiracy or coercion, a legitimate user of the system can facilitate access to it.

- The false biometric attack, aimed at the process of extracting the biometric data, is based on introducing false data. Depending on the type of biometric system, attacks can take several forms. One of the most common is the presentation of a false fingerprint in the system. It is also common to activate the sensor by breathing on the accumulated debris on the sensor even though more and more sensors are robust to this type of attack. In systems based on face detection, the most common attacks are usually the presentation of photographs, original or with minor modifications, of authorized persons. Other examples of presentation of false biometrics may be the presentation of high quality recordings in speech detection systems or the presentation of photographs on two-dimensional or printed supports on contact lenses in iris-based systems. The current solution on this type of attack to protect the system in the presentation of false biometrics is the detection of whether the sample acquired and compared comes from a living tissue or not. This mechanism is called life detection.

- The injection of false packets and forwarding attacks consist of the capture of data packets coming from several modules of the system and traveling through some communication channel. Captured packets can be used later to authenticate in the system. Captured packets can be sent without modification, used to create new data or biometric data prototypes as well as to extract biometric data aimed at the creation of false biometrics and execute false biometric attacks.

- The execution of the waste reuse attack is based on the capture of temporary data from the hardware, whether they are resident in the main memory, in temporary files stored on a disk or in a file not deleted at a low level, and requires physical access to the hardware involved. in the security system. - Interference attacks in the extraction process are aimed at overwriting the data extracted by the extractor of characteristics. In this case, a Trojan might be responsible for keeping an open door between the attacker and the feature extractor so that the extractor generates the desired data.

These and other existing security weaknesses make it clear that there are serious security problems in the authentication mechanisms (and security in general) used and, as they are designed, it can be very complex to apply a solution for said weaknesses. Another problem with the current authentication mechanisms is that, in addition, most of these elements / authentication mechanisms have not evolved practically in the last decade (at least not from the point of view of management and improvement of security) .

There is, therefore, the need to provide an effective and resource-saving authentication solution, which fully covers the current needs of the user and the network, not presenting the limitations and vulnerabilities of the authentication elements / mechanisms currently in existence. and that minimizes or eliminates the possibilities of configuring analogous and inverse processes that allow to decode the information in course.

SUMMARY OF THE INVENTION The present invention provides a method and system for the identification between (human) users and electronic devices, based on biotechnological markers and especially on biometric markers. This mechanism can be used for the authentication of users in a communication network, providing security, personalization, universalization and, in general terms, the improvement of existing authentication mechanisms. In addition, the individual is identified and authenticated through the biometric / biotechnological traits of the individual, without the need for the individual to enter or remember any password (which makes the system much more secure, efficient and easy to use by the user). For this purpose, in a first aspect, the present invention proposes a method (method) for the authentication of a user of an electronic device in a communications operator (for example, an operator of a mobile communications network or of any type) or provider of a service, with which the electronic device communicates using a data transmission technology (broadband), where the method comprises the following steps: a) Obtain in the electronic device (which the user uses to access the operator or provider) several user identification patterns to authenticate, each of these patterns based on a biometric and / or biotechnological feature different from the user;

b) For each biometric and / or biotechnological trait for which a pattern has been obtained:

b1) compare in the electronic device, said pattern obtained with identification patterns of users (with authorized access to the operator or provider), corresponding to said biometric and / or biotechnological feature, previously stored in an internal database of the electronic device;

b2) generate in the electronic device, a marker including encrypted information (for example, using a Hash code) on the pattern obtained for said biometric and / or biotechnological feature (it may also include information on the result of the comparison made);

c) if, as a result of the comparison, it is determined that none of the patterns obtained coincide, or in other words, the degree of coincidence of all the patterns is below a certain threshold, (here when we talk about two patterns coinciding normally means that their degree of coincidence is greater than a predetermined threshold as the minimum threshold of coincidence) with none of the previously stored patterns, deny access to the electronic device to said user and terminate the method;

d) create in the electronic device a first chain of blocks (from English

"blockchain") linking together the generated markers (ie, associating or interlacing the different markers so that it can be detected that any of the blocks has been altered, analyzing the content of another block, for example the one that precedes it or above in the chain) and send said chain to a network element (or network node), where the position of each marker in the chain depends on the degree of coincidence that has occurred in the process of comparing the pattern corresponding to said marker (with the patterns stored in the base of data);

e) creating in the network element a second block chain with several identifiers of the electronic device, linking said identifiers together (in an alternative embodiment this chain is created in the electronic device and then sent to the network element or node);

f) linking in the network element (also called in this common denominator text) the second chain of blocks with the first chain of blocks, creating a third chain of blocks that identifies the user together with the electronic device;

g) determine in the network element if the third chain of blocks is valid, determining if there has been any alteration in the different links existing between the blocks of the chain, thus it is possible to detect if any of these blocks that identify the user (first string) or the device (second string) has been altered and, in that case, the invalid string is considered and access is denied. In an embodiment for determining the validity of the string, in addition to this, it is also possible to compare said third block chain with previously stored block chains to see if it corresponds to a valid string previously stored for said user and / or device;

h) if it is determined that the chain of blocks is valid (that is, no alteration is detected in it), allow the user access to the communications operator and / or service provider and use said third chain of blocks as identification (for verification, authentication, service authorization, etc.) of the user in the communications operator and / or service provider; otherwise, deny the access of said user to the communications operator and / or service provider (access to the network). Said network element may be a node of the communications operator or service provider. It can also be a router, a switch, a firewall, an access point, or a CPE that manages access (input and output) to the communications network. In this second case, all communications between the device and the network element (router, switch ...) can be done through layer 2 messages of the OSI model; or in other words, the exposed access control can be done in layer 2 (link layer) of the OSI model. In an embodiment, in this second case, in which the network element is a router, switch, ... or more generically, it is an intermediate node of communications between the electronic device and the communications operator or service provider, said element network sends the third block chain to another network node (the communications operator or service provider) so that it re-checks the validity of the third block chain and that it has not been altered and, as a result, denies or allow access.

In general, the type of network element or node used will depend on the communication technology used by the electronic device to access the network and, in particular, whether the electronic device, to access the operator or service provider uses technology of broadband data transmission with non-guided media or a broadband data transmission technology with guided media.

These biometric and / or biotechnological features of the user may be some of the following group: facial recognition features, voice, iris recognition features, recognition features by retina, fingerprint, microbiome, identifier stored in subcutaneous chip or any other .

In one embodiment step a) may comprise:

- a1) Receive biometric and / or biotechnological data from the user (by means of sensors, chip reader, iris or retina scanner, fingerprint scanner or any other device that is necessary to collect said feature from the user);

- a2) Preprocess such data (eliminating all unnecessary data);

- a3) Extract from the received data the vectors of characteristics corresponding to each biometric and / or biotechnological feature;

- a4) For each biometric and / or biotechnological trait, generate an identification pattern of the user based on the vectors of extracted characteristics; and where step a1) is performed in the electronic device and steps a2), a3) and a4) are performed in the electronic device or in a node of the communications operator or service provider and the identification patterns of the generated users are sent to the electronic device (this second case, occurs mainly when it comes to the microbiome that, due to its complexity, is not easily processable by the electronic device). In an embodiment it is not necessary for any of the patterns to coincide so that access is denied, but in step b1), if a certain number of the patterns obtained (although not all) do not coincide with the patterns previously stored in the electronic device, access to the electronic device is denied to said user and the method is terminated. In another embodiment, it suffices that a pattern of the obtained ones does not coincide so that access to the electronic device is denied.

In step f), to create the third chain of blocks, those blocks of the first block chain corresponding to markers whose degree of coincidence is below a predetermined threshold can be used.

(low reliability markers).

The method may comprise the following steps before step e):

- Receive the network element of the electronic device each of the generated markers;

- Check in the network element that the generated markers (or patterns) match previously stored markers (or patterns);

- If they do not match, send a message to the electronic device denying access to the electronic device to that user and terminate the method (that is, a second check of patterns / bookmarks in the network element is made).

According to the communication technology used, the identifiers of the electronic device may be some or the other. Thus, if the electronic device, to access the operator or service provider uses broadband data transmission technology with unguided means, the identifiers of the electronic device may be some of the following group: User Identification in the device electronic, MAC, IMEI, IMSI, MSISDN, Identification of Operating System .... If the electronic device, to access the operator or service provider uses broadband data transmission technology with media guided, the identifiers of the electronic device can be some of the following group: Identification of the User in the electronic device, Identification of Operating System, MAC address, Netbios, Identification of the Physical Port of the network element ....

In one embodiment, if the network element checks that the identifiers of the electronic device are not stored in its internal database as identifiers of an authorized device, it denies access to the network to said device.

The method may also include a training stage (usually performed at an operator or provider node) comprising:

- Receive biometric and / or biotechnological data from authorized users to access the operator or the service provider;

- Preprocessing said data and extracting from the received data the vectors of characteristics corresponding to each biometric and / or biotechnological feature;

- For each biometric and / or biotechnological trait, generate a user identification pattern based on the vectors of extracted characteristics and store it in the internal database of the electronic device.

This training stage is not only done before starting the system, but it can also be done during all authentication processes to improve (make it more accurate) the identification pattern of each stored user. In a second aspect, the present invention proposes a system for the authentication of a user of an electronic device in a communications operator or provider of a service with which the electronic device communicates using a data transmission technology, where the system includes:

- The electronic device comprising:

- A database that stores user patterns with authorized access (to the operator or provider) for different biometric and / or biotechnological features; - Means for obtaining information of various biometric and / or biotechnological features different from the user to authenticate (by means of sensors, chip reader, iris or retina scanner, fingerprint scanner or any other device that is necessary to collect said feature from the user) ;

- Means to obtain several identification patterns of the user to authenticate, each of these patterns based on a biometric and / or biotechnological feature different from the user;

- A processor configured to:

- compare said pattern obtained from the user to authenticate with the patterns of users with authorized access previously stored in the database and

- generate a marker including information encrypted on the pattern obtained for said biometric and / or biotechnological feature

- if none of the patterns obtained coincide with any of the patterns previously stored, deny access to the electronic device to said user;

- create a first chain of blocks by linking together the generated markers where the position of each marker in the chain depends on the degree of coincidence that has occurred in the process of comparing the pattern corresponding to said marker;

- means of communication for sending said chain to a network element (for example, an operator or provider node);

- The network element comprising:

- means of communication for receiving from the electronic device the first chain of blocks and several identifiers of the electronic device;

- A processor configured to:

- creating a second chain of blocks by linking said identifiers of the electronic device together;

- linking the second chain of blocks with the first chain of blocks, creating a third chain of blocks that identifies the user together with the electronic device; - determine if the third chain of blocks is valid, determining if there has been any alteration in the different links existing between the blocks of the chain (in the blocks of the first and second chain to see if there has been any alteration in their content). In an embodiment for determining the validity of the string, in addition to this, it is also possible to compare said third block chain with previously stored block chains to see if it corresponds to a valid string previously stored for said user and / or device;

- if it is determined that the block chain is valid to allow the user access to the communications operator and / or service provider and use said third block chain as identification in the communications operator and / or service provider; otherwise, deny that user's access to the operator. In a third aspect, the present invention proposes an electronic device as described in the previous system.

Finally, in a fourth aspect of the invention a computer program is presented comprising computer executable instructions for implementing the described method, when running on a computer, a digital processor of the signal, an application-specific integrated circuit, a microprocessor , a microcontroller or any other form of programmable hardware. Said instructions may be stored in a digital data storage medium.

Aspects, embodiments and additional, specific and preferred details of the invention are set forth in the appended, independent and dependent claims. For a more complete understanding of the invention, its objects and advantages, reference may be made to the following specification and the accompanying drawings.

Description of the drawings

To complete the description that is being made, and in order to assist for a better understanding of the characteristics of the invention, according to an example preferred embodiment of the same, accompanying said description as an integral part thereof, there is a set of drawings in which, by way of illustration and not restrictively, the following has been represented:

Figure 1 shows schematically a block diagram of the architecture of the speech recognition identification mechanism proposed according to an embodiment of the present invention.

Figure 2 schematically shows a block diagram of the architecture of the subcutaneous chip recognition identification mechanism proposed according to an embodiment of the present invention.

Figure 3 schematically shows a block diagram of the architecture of the identification mechanism by microbiome recognition proposed according to an embodiment of the present invention.

Figure 4 schematically shows an example of the blockchain structure used for the identification of the individual, according to an embodiment of the present invention.

Figure 5 schematically shows an example of the blockchain structure used for the identification of the individual, according to an embodiment of the present invention.

Figure 6 schematically shows an example of the blockchain structure used for the identification of the electronic device and the individual, according to an embodiment of the present invention.

Figure 7 schematically shows a diagram of the operation of the proposed method for the identification of an individual and a smartphone in a use case according to an embodiment of the present invention.

Figure 8 schematically shows an example of the blockchain structure of the device, linked to the blockchain of the device. individual in a use case, according to an embodiment of the present invention.

Figure 9 schematically shows a diagram of the operation of the proposed method for the identification between an individual and a smartphone with non-guided means through a network element in a use case according to an embodiment of the present invention.

Figure 10 schematically shows an example of the blockchain structure of the device, linked to the block chain of the individual in a use case, according to an embodiment of the present invention.

Detailed description of the invention

The present invention proposes a mechanism (or methodology) for identification between humans and electronic devices, by means of which an improved method and system of protection is established, applicable for example to the authentication of users in a communication network or service provider. The communications network can be of any type both from the point of view of its structure (it can be a local area network LAN, extended area, WAN, or any other type) as well as the communication technology it uses (it can be a wired network, a WIFI network, a mobile phone network or use any other type of technology).

This identification mechanism (which usually also includes verification and authorization) is based on the construction of a series of biometric and biological (biotechnological) markers consisting of digital or analog data. These electronic devices can be computers, laptops, mobile phones, smartphones, tablets and, in general, any type of electronic device that gives access to communication networks, programs, communications, applications, data .... Biometrics is an identification technology based on the recognition of a physical and non-transferable characteristic of people (individuals), which differentiates them from other human beings. In other words, biometrics is responsible for the automatic recognition of individuals mediating their physical features (face, retina, iris, voice, fingerprints, etc.) or even behavioral traits. In principle, any physical characteristic (also called trait) or certain types of behavior can be used as biometric features, as long as they have the properties of Universality (every person must possess the biometric characteristic used), Ability to distinguish (the biometric feature must allow to identify and discriminate between two different individuals) and

Constancy (must remain unchanged in time).

On the other hand, biotechnology is a technique of multidisciplinary origin that is applied to instances of technological and industrial processes. That is to say, biotechnology implies an application of technological origin that uses living organisms or biological systems in order to be able to create specific processes, as in this case the identification of an individual, or to obtain essential information (related for example with medicine or pharmacy among others). The system (also called ecosystem) proposed in the present invention is a universal identification system, which can not be altered, and which identifies not only the people who access the electronic devices and the associated services, but also the Electronic devices that need to authentically authenticate and authorize people and electronic devices and / or applications that access network resources. For this, the basis for the construction of this ecosystem consists of the use of biometrics and / or biotechnology technology, in order to generate the necessary markers for a correct identification. The markers to be used may one or preferably several of the following (this is only a non-limiting example and, of course, any other type of biotechnological identifiers and traits may be used):

• Human identification: Biometrics (Speech Recognition, Facial Recognition, Iris Recognition, Fingerprint ...)

Biotechnology (Human Microbiome)

Subcutaneous Chip, NFC identification chip (these chips can also be considered in some way a bio-technological identification system).

Identification of electronic devices or programs (applications).

o Network identifiers:

^■ MAC Identifiers (Media Access Control)

^■ IMEI Identifiers (International Mobile Station Equipment Identity, from the International Mobile Station Equipement Identity)

^■ Identifiers IMSI (International Mobile Subscriber Identity, from the International Mobile Subcriber Identity)

^■ MSISDN Identifiers (Mobile Station of Integrated Digital Services Networks, of the English Mobile Station Integrated Services Digital Networks) or Identifiers of components of the motherboard,

o Software identifiers With these two types of identifiers, we proceed to the construction of the identity.

It should be noted that from now on, for simplicity the term biometric or biotechnological will be used interchangeably to refer to both types of identifiers or characteristics, purely biometric and purely biotechnological. That is to say, with the biometric or biotechnological term, both types of identifiers will be included.

The correct construction of the identity of the human individual (user of the electronic device), is done using specific markers unequivocal that are generated with the data and patterns obtained. With the information of these markers and the link between them, the identity that will be used for the identification and authentication between the individual and the electronic device will be generated.

In this text, when talking about linking or association of the different blocks of a chain of blocks (in this case, the markers) refers to an interlacing of the content of the different blocks so that one of the blocks can be detected it has been altered, analyzing the content of another or other of the blocks, for example the one that precedes or precedes it in the chain).

1. Identity construction. Generation of Markers:

The following describes the methodology for the extraction and creation of the necessary markers for identification of the individual, the creation of these markers will be the way to authenticate the individual in electronic devices (both for online and offline use). You can also proceed to the generation of passwords and passwords to access the devices. Markers based on any type of biometric, biotechnological or other feature (trait) can be used to identify the user. Below are some of them, based on different types of characteristics of the individual. The types of markers (or, in other words, the types of methods to identify the individual from characteristics of the same) that are exposed here, are only by way of example, and in no case are they of a limiting nature, so that they can be use any other type of method / feature to identify the individual.

The identification can be done with a single marker or several but, of course, of course the more markers are generated and used, the more difficult it will be to impersonate the individual (the more secure the identification), since the use of several markers , gives the system greater strength before any reverse engineering technique. Currently, obtaining and processing some biometric markers can be modified to perform identity theft; that's why construction is preferable (generation) of several markers to make it more difficult to modify and supplant the identity of the individual. Of those that will be shown below, the microbiome is undoubtedly the most important marker of all of them, since in addition to obtaining a unique identification of the individual, it contains many more information that can be used in the future.

1. 1. Voice Recognition:

Voice recognition is a biometric technology that uses the voice of the individual to achieve identification. It depends on various characteristics of the individual, on the one hand the physical structure of the vocal tract and on the other there are certain behavioral characteristics. In this identification process, the variability of the voice signal must be taken into account.

In the voice recognition system proposed by the present invention, preferably, there is a training phase (prior to the operation of authentication itself). In this training phase the necessary patterns of characteristics of each of the actors that have to be identified in each of the systems are obtained, these being stored in the internal database in which the data of biometric patterns and references are stored. . Once the voice signal is obtained, the processing is done in two environments:

In the electronic access device (any electronic device that is capable of accessing the network or the service that the user wants to use, for example a mobile terminal, computer, tablet, PC).

In the "Common Denominator". In this section and in the rest of the text, this expression "common denominator" will normally be used to refer to the Network Operator or more generally the Service Provider (or Information Provider or Service Center) that provides the service or information to which you want to access safely. For example, this expression could be used to refer to the Mobile Telephone Operator to which the communication network to which it is being accessed belongs. Within said Operator or service provider, the proposed identification process can be performed (partially or totally) in different network nodes (elements) (11) of said Operator or Provider (normally they will be nodes of the core network, called " core network "in English). Depending on the transport technology, these network nodes can be of one type or another. Thus, in the case of transmission of wireless broadband data (what will be called non-guided media) such as mobile lines (2G, 3G, 4G, 5G ...), these network nodes (1 11 a) can For example, the HLR (from the English Home Location Register), HSS (from the English Home Subscriber Server, Home Network Subscriber Server) or EIR (from the English Equipment Identity Register). Equipment) or any other. If the transmission of data is by guided means, as for example by cable, in this case the equipment used can be for example nodes (1 1 1 b) CPE (of the English Customer Premises Equipment, Local Team of the client), vCPE (CPE) virtual), uCPE (universal CPE) or any other technology node that supports the transmission of data by cable.

It should be noted that although in some of the figures appear the nodes HLR, VLR, HSS Auc, EIR ... (1 11a) or CPE, vCPE, uCPE ... (1 11 b) as external nodes to the database internal of the Common Denominator; this is just a way to draw them. What we want to express is that the different operations performed by the common denominator are carried out in these nodes (of the first type 11 1 a or of the second type 11 1 b according to the transmission technology used). The internal database and other modules of the common denominator can be physically in one of these nodes or distributed in several of them and the nodes communicate with each other according to their needs.

Either in guided data transmission technologies or through non-guided means, when access to the communications operator / service provider is made using an intermediate communications node between the electronic device and the communications operator / service provider ( for example, a router, switch, ... or any other element of network access), this intermediate node Network can be considered as a part belonging to or associated with the Common Denominator and can be where the part of the proposed identification process corresponding to the Common Denominator is carried out. In this case, the identification process, in addition to this intermediate node, can be repeated and confirm in another node of the Common Denominator.

After obtaining the biometric pattern of the biometric characteristics (in this case voice), a comparison is made with the data stored in the internal database of the electronic device to obtain the similarity between the pattern obtained at that moment with each of the biometric / biotech signatures or patterns stored. As will be seen below, from this comparison a marker identifying the user will be generated, said marker along with all the collected data will be sent to the Common Denominator (Operator) and said marker will be compared in the Common Denominator with the stored standard marker in the Common Denominator for that user. That is to say, that the comparison with the stored patterns is done in the internal databases of the electronic devices and in the database of the common denominator (for example in the HLR of the operator), which in turn can have direct communication with electronic devices (through the external database of electronic devices). In the database of the common denominators there may be a module for calculating similarities (between the obtained speech pattern and the stored patterns), which results in a match matrix. In order to interact with the electronic device or devices, it is necessary for the individual to identify himself. In the proposed solution, the identification process will be carried out in two phases, in the first phase the individual is identified in the electronic device, before performing any type of operation with the electronic device. In the second phase, in parallel, the individual (the user who uses the electronic device to access the network through its biometric marker) and the electronic device in the network operator (common denominator) is identified before the user can access it to network. If any of these two identifications does not give a positive result, the user will not be able to access the resources of the network. That is, in the first phase the user accesses the electronic device to make a first identification. In the second phase, the electronic device communicates with the network operator (through the first network segment) in order to identify the user and the electronic device itself, in order to grant access to network services and resources ( since to obtain the service, this has to be identified before being produced). Therefore, as far as security is concerned, this identification becomes more robust since the verification of this data is not on the Internet or on any other platform. To be more clear, we can say that this identification is made in the first segment of the network, since to obtain the service, the user has to be identified and this is done through the first network segment (although if the first segment of network does not have sufficient processing resources or enough data may have to consult other nodes of the network operator). With "first network segment", this text refers to the communication segment that is between the electronic device (device that wants to access the network, also called the client device) and the network element closest to it (depending on the technology). used for communication this first network segment can be delimited for example by a router or switch or by a BTS, Node B, HLR or another network node if mobile technology is used)

The proposed recognition system, shown in figure 1, is constituted by two main stages, the machine training stage (of Machine Learning) or learning and the stage of identification and verification of the identity of the individual. In the first training stage (1 12), the system generates the models from the voice of the authorized people (users) that interact with the electronic device (100), these models are pre-processed by the electronic device (100) and / or the common denominator modules (1 10), generates the corresponding voice patterns and stores them in the internal database of the electronic device (123) and in the internal database of the common denominator (123). This training is not only done at the beginning but it has a continuous improvement since, every time an individual wants to access the electronic device and it must be identified in it (next step that we will explain below), the biometric data collected from the individual (in this case your voice) are sent by the electronic device to the Common Denominator and there these data are again processed (101 a) to improve the saved patterns for that individual and those improved patterns are stored (123f) and they are also sent from return to the internal database of the electronic device for use in subsequent identification.

In the identification and verification stage, the system determines the identity of the person under analysis and verifies their identity from the voice obtained from the user (also called the user's signature) in order to build the marker, using the models stored in the database of internal data (123). The first step for the identification of the user is to obtain their biometric features (in this case the voice). Once the voice signal has been obtained through the electronic device (100), the received signal is detected (101) and this data is sent to the acoustic processing module (102) to, among other things, eliminate all data that can get to contaminate the signatures obtained. Once the acoustic processing stage (102) determines that the data obtained correspond to a voice signal, the extraction of the feature vectors with the data useful for speech recognition is carried out by means of the language analysis module (103), which uses for example, models or algorithms such as Acoustic Models (103a), Lexicon Models (103b), Language Model (103c) or other known methods (103d). These modules can be repeated in the Common Denominator since, as indicated above, as part of the training and continuous improvement the voice signal will also be processed in the Common Denominator to improve the registered patterns for each user.

After obtaining the feature vectors (patterns that identify the user) in the previous step, the comparison of patterns (123a) of the data obtained with the data stored in the internal database (123) of the electronic device is carried out. .

The process of comparing entry patterns with the patterns (also called signatures) stored, allows to proceed with the identification and verification of the identity of the individual. As indicated above, in the training and learning process, a model (pattern) of each person is generated. has had access (presumably authorized) to the system and is stored. Comparing the data obtained with the stored data identifies each user that interacts with the electronic device. This is done in the signature model module (123b). Then, there may be a verification module (123c) where they verify that the data obtained have been correctly compared (for example, by repeating the comparison and seeing that it gives the same results), therefore verify the information.

These modules can be repeated in the Common Denominator (as seen in Figure 1) since, as indicated above, as part of training and continuous improvement the voice signal will also be processed in the

Common Denominator to improve registered patterns for each user.

Once the data obtained has been compared with the signatures (patterns) stored in the database, depending on the error that is generated from that comparison, the result can be Identified Individual (without errors), Individual

Identified with errors or Unidentified Individual.

The difference between an individual identified without errors and with errors is the following: If the data obtained for a user is considered exactly the same (with a very high percentage of coincidence, for example 90 or 95%) to the data that is previously stored for that user; the user will be identified without error, the identification will be legal and the corresponding marker will be generated without any error. If the compared data do not coincide exactly, but coincide in a percentage higher than a certain threshold (for example 50%), it is considered that the individual has been identified but with errors. That is, if the stored data is similar but not exactly equal to the data stored for that user, the individual will have been identified with errors and the corresponding marker will be generated with erroneous data. If the compared data coincide in less than a certain threshold (for example 50%) it is considered that the individual has not been identified. The border between considering that the user has been identified with errors or considering that he has not been identified is a design option. In any case, even if it is identified with an error or is not identified, the corresponding marker can be generated. This marker when building the block chain may be part of the chain of blocks, this being the last in the chain, or it may be removed from the block chain. When using the marker for the construction of the chain of blocks, and when verifying said chain in the common denominator, this block with errors or unidentified can be analyzed to perform forensic techniques on the data of the individual who has tried to impersonate the individual legitimate (if that has been the case). If the individual is identified correctly (without errors) the system constructs a marker (123d) that contains the code (which includes a message of "Start", Begin) of identification of legitimate individual. These codes are preferably hash codes for identification, verification, authentication and authorization (User / Password), which serve to access the electronic device, the network and the services associated with the individual; This marker is one of the markers used in the multiple factor ecosystem proposed in the present invention. This code is unique for each individual that interacts with the electronic device, the procedure (hash) that is used to construct the code is an algorithm that transforms the data into a series of characters with a fixed length. This code is a fixed code assigned to each user but unknown to the user.

If the individual is not identified correctly, the system constructs a marker, which contains the code (123d) (with a message of "Check", Check). This means that as the individual has identified with errors (or in other words, the code has been built with anomalous data), the system will preferably request the individual (user) authentication of a second step. In this authentication in a second step, the common denominator can generate and send the code to the legitimate individual; if the individual can not access the code that has been sent, they will have access to the electronic device with limited use, until it is correctly identified. One that is correctly identified, the status of the code will pass to the identified individual (Start) and this will be audited until it closes with the electronic device. If, on the other hand, the user is not registered, therefore it can not be identified, the system will build a marker (123d) that will contain a code with a "Stop" message and will not be able to access the electronic device. This code will be sent to the common denominator (1 10) to later be analyzed.

In an alternative embodiment, if several biometric / biotechnological features are used to identify the individual, access to the electronic device may be allowed if any of the identifications with one of the traits is not successful but others do (this will be a design option and will depend of the degree of security that is desired, of what type of identifications are used, of how reliable they are ...). For example, if recognition by microbiome and recognition by fingerprint do give a positive identification, the device can be accessed even if voice recognition is not successful.

The electronic device can send to the common denominator all the data received from the user as well as the generated markers. The common denominator can compare the marker generated by the electronic device with the standard marker for said user (generated with the data previously stored for said user); that is, the common denominator has a copy of the marker that ideally corresponds to that user and compares it with the received marker. This is done in the Marker Identification module (123d). Or you can even repeat the identification and verification steps (123 b and 123c) in the Common Denominator to generate the marker again and compare it with the marker received from the electronic device.

If the markers do not match (or the match is less than a predetermined threshold) access can be denied or even the marker generated by the corrected electronic device. With this double check you get:

A more solid identification method without making it more complex for the user, because this identification is inherently made in the electronic device and in the common denominator and for the individual it is completely transparent.

Grant greater granularity to the services associated with the individual. For example, if a user makes a call with a terminal that is not his, as the biometric data of the user must be verified in the operator (common denominator), therefore the operator will know which user is actually making the call, so the call can be billed to the real user. Thus, independently of the electronic client device, the user can be located at all times. Improved processing of the information of the markers for a correct interpretation of the obtained data.

Improved training of the different markers.

In addition, the Common Denominator processes all the data received to improve the different elements such as stored patterns, the methods of comparison and verification, the methods of processing the input signal ... and this will be communicated to the electronic device in order to Improve the identification process for the next occasion. The common denominator (1 10) is responsible for learning from all data received by the electronic device, in addition to identifying both the legitimate individual and the electronic device in all services associated with the individual. Granting a greater functionality in the granularity of the acquired data, allowing more information in the data received by each individual, both legitimate and illegitimate allowing the granulated transaction to all the resources that depend on the common denominator.

It should be noted that, as will be explained later, the common denominator not only identifies the individual (as is done in the electronic device) but also identifies the electronic device and will associate said identification with that of the individual (user) who is using said device. Therefore there are two identifications and verifications, which identifies and verifies the individual in the electronic device (which we will call "off-line" identification) and the one that identifies and verifies the individual and the electronic device (client device) in the common dominator so that he can access the services and resources of the network (which we will call "on-line" identification).

Depending on the transport technology that is used, some elements or others will be used in the common denominator. In the case that the lines are used mobile (3G, 4G, 5G, etc.), the elements in charge of identification may be:

• HLR, VLR, HSS, AuC or Others (router, switch ...): They will be in charge of registering and identifying the blocks or markers.

· The R is responsible for registering and identifying the electronic device

(client device)

If, on the other hand, broadband transport technology is cable, the elements in charge of identification may be:

• vCPE, uCPE or Others (router, switch ...): They will be in charge of verifying and identifying both the individual and the electronic device (client device).

As seen in Figure 1, there is an external database (124) that is responsible for sending and receiving all data to the (and the) common denominator (ie it acts as an interface between the internal database of the electronic device and the common denominator). That is, the data is not received or sent directly to the internal database of the electronic device for greater protection of the data contained in the internal database. 1.2. Facial Recognition:

Facial recognition is a biometric technology that allows you to determine the identity of a person by analyzing their face. Unlike other biometrics, this technology is not intrusive and does not require collaboration on the part of the user, it is only necessary for his face to be acquired by a camera. The most advanced current facial recognition techniques are based on what are known as mathematical representations and matching processes. Some of the techniques used to obtain this biometric marker are:

• Traditional systems. They are based on correlation and range from the simplest form (where only different models are compared) to techniques that use classifications mediating neural networks and deformable templates. • Local or geometric systems. Characteristic vectors extracted from the profile of the individual are analyzed, although the features that can be observed from the frontal view of the face can also be checked.

• Other techniques. Facial recognitions using three-dimensional analysis or skin texture study techniques are the most important novelties of facial recognition. In the first case, features such as the chin, the contour of the eyes or the cheekbones are determined. On the other hand, in the second analysis, details such as single lines, facial patterns, spots or scars are checked.

The methods currently used can also be distinguished in models of local features (they recognize the eyes, the nose, the mouth ... and measure the distances and angles of the face), of global features (they provide information of the whole face ) or mixed (combination of the above).

It can be said that there are three basic modules of the process of facial recognition that perform together the necessary functions to recognize the individual who accesses the system; a database, an enrollment module and a recognition module. The registration module that is housed in the electronic device, is formed by an acquisition system responsible for providing the biometric signal (image of the face) that characterizes the individual.

After the acquisition of the biometric signal proceeds to the extraction of the characteristics of the individual's biometric trait. These characteristics express the individual in a univocal and compact way and constitute the biometric pattern. In this way, the optimal coding of the signal is carried out in which all irrelevant information, which does not contribute to the recognition, is eliminated.

The biometric pattern extracted by the enrollment module is stored in the database of the recognition system of the electronic device. This database will therefore contain all the biometric patterns of the individuals who are legitimate users of the electronic device.

The recognition module is responsible for establishing the identity of the individual accessing the electronic device. For this, after the acquisition of the biometric feature of the individual, the characteristics are extracted and the biometric pattern is obtained, which is then compared with the patterns stored in the internal database of the electronic device. The results of said Comparisons are quantified and valued, thus allowing the decision making regarding the identity of the individual based on similarity obtained. All this process of extraction of the biometric characteristics, is done in the electronic device and the biometric patterns are stored in the databases of the device itself and in the common denominator, for its later analysis and training of the obtained patterns, for the correction of possible errors. As in the case of speech recognition, once the biometric pattern is obtained (in this case, data from the user's face), the processing is performed in two environments: The electronic device (Mobile Terminal, Tablet, Pe, etc.) .) and the so-called common Denominator (Operators, Service Providers, etc.).

In the proposed solution, the identification process is carried out in two phases, in the first phase the individual is identified in the electronic device, before performing any type of operation with the electronic device. In the second phase, in parallel, the individual (the user who uses the electronic device to access the network) and the electronic device in the network operator or service provider (common denominator) is identified before the user can access to network. If any of these two identifications does not give a positive result, the user will not be able to access the resources of the network. That is, in the first phase the user accesses the electronic device to make a first identification. In the second phase, the electronic device communicates with the common denominator (network operator) through the first network segment, to perform an identification of the user and the electronic device itself, to proceed to grant access to services and resources network (since to obtain the service, it has to be identified before it occurs). Therefore, as far as security is concerned, this identification becomes more robust since the verification of this data is not on the Internet or on any other platform. To be more clear, we can say that this identification is made in the first segment of the network (although if the first network segment does not have enough processing resources or enough data it may have to consult other nodes of the network). Therefore, in order to interact with the electronic device or devices, it is necessary for the individual to identify himself. To illustrate the proposed facial recognition system, the block scheme shown in Figure 1 can be used, since most blocks and functions are repeated. In fact, the explanations that have been included above about how the proposed identification procedure works for the case of voice recognition are totally extrapolar for the case of facial recognition.

Of course, in this case, the user's input signal would not be a voice signal as in Figure 1 but an image. The proposed recognition system is constituted as the previous system (voice recognition), by two main stages, the training or learning stage and the identification and verification stage of the identity of the individual. In the first training stage (112), the system generates the models from the facial image of the people (users) interacting with the electronic device (100), these models are pre-processed by the electronic device (100) and / or the common denominator modules (110), generates the corresponding patterns and stores them in the internal database of the electronic device (123) and in the internal database of the common denominator (123). This training is not only done at the beginning but it has a continuous improvement since every time an individual wants to access the electronic device and it must be identified in the same

(next step that we will explain below), the biometric data collected from the individual can be sent by the electronic device to the Common Denominator and there these data are again processed (101 a) to improve the saved patterns for that individual and those improved patterns are stored (123f) and in addition, they are sent back to the internal database of the electronic device for use in subsequent identification.

In the identification and verification stage, the system determines the identity of the person under analysis and verifies its identity from the image of the user's face (also called the user's signature) in order to build the marker, using the models (patterns ) stored in the internal database (123). The first step for the identification of the user is to obtain the image thereof, once the image has been obtained through the electronic device (100), the received image is detected (101) and pre-processed (this module of processed would take the place of the acoustic processing module 102 of Figure 1). In this stage all the data that can get to contaminate the captured image is eliminated. Once the pre-processing step determines that the obtained image corresponds to a real face, the extraction of characteristics is carried out (this extraction module would take the place of the language analysis module 103 of figure 1) using for example , facial recognition techniques that are based on the holistic or appearance aspect (PCA, LDA, ICA, LPP, Kernel ...), techniques based on analytical or feature functions (Gabor, LBP ...), hybrid techniques ( this method performs a fusion of the two types of methods described above to obtain an improvement in the results) or any other known facial recognition technique. These modules can be repeated in the Common Denominator since, as indicated above, as part of training and continuous improvement, the image will also be processed in the Common Denominator to improve the registered patterns for each user.

After obtaining the characteristic vectors in the previous step, the comparison of patterns (123a) of the data obtained with the stored data is carried out. This module belongs to the internal database (123) of the electronic device (and preferably also of the common denominator). The process of comparing input patterns (of images) with the patterns (also called signatures) of stored images allows the identification and verification of the identity of the individual to proceed. As indicated above, in the training and learning process, a model (pattern) is generated for each person who has had (authorized) access to the system and is stored.

Comparing the data obtained with the stored data identifies each user that interacts with the electronic device. This is done in the signature model module (123b). Then, there may be a verification module (123c) where they verify that the data obtained have been correctly compared (for example, by repeating the comparison and seeing that it gives the same results), therefore verify the information.

Once the data obtained has been compared with the signatures (patterns) stored in the database, depending on the error that is generated from that comparison, the result can be Identified Individual (without errors), Individual Identified with errors or Unidentified Individual. For the difference between an individual identified without errors and with errors, the same applies as explained in the section on Speech Recognition. If the individual is identified correctly (without errors) the system constructs a marker (123d) that contains the code of the type "Start" (Start) of identification of legitimate individual. These codes (123e) are preferably hash codes for identification, verification, authentication and authorization (User / Password), which serve to access the electronic device, the network and the services associated with the individual; This marker is one of the markers used in the multiple factor ecosystem proposed in the present invention. This code is unique for each individual that interacts with the electronic device, the procedure (hash) that is used to construct the code is an algorithm that transforms the data into a series of characters with a fixed length. This code is a fixed code assigned to each user but unknown to the user.

If the individual is not identified correctly (identification with errors), the system constructs a marker, which contains the code (123e) of the type "Check" (Check). This means that as the individual has identified with errors (or in other words, the code has been built with anomalous data), the system will preferably request the individual (user) authentication of a second step. In this authentication in a second step, the common denominator will send the code to the legitimate individual; if the individual can not access the code that has been sent, they will have access to the electronic device with limited use, until it is correctly identified. One that is correctly identified, the status of the code will pass to the identified individual (Start) and this will be audited until it closes with the electronic device.

If, on the other hand, the user is not identified (the user is not registered), the system will build a marker (123d) that will contain a "Stop" type code and will not be able to access the electronic device. This marker will be sent to the common denominator (110) to later be analyzed. The electronic device will send to the common denominator all the data received from the user as well as the generated markers. The common denominator can compare the marker generated by the electronic device with the standard marker for said user (generated with the data previously stored for said user); that is, the common denominator has a copy of the marker that ideally corresponds to that user and compares it with the received marker. This is done in the Marker Identification module (123d). Or you can even repeat the identification and verification steps (123 by 123c) in the Common Denominator to generate the marker again and compare it with the marker received from the electronic device.

If the markers do not match (or the match is less than a predetermined threshold) access can be denied or even the marker generated by the corrected electronic device.

It should be noted that in the common denominator not only the individual is identified (as is done in the electronic device) but also the electronic device is identified and that identification can be associated with that of the individual (user) that is using said device.

As it happened in the voice recognition system, there is an external database (124) that is responsible for sending and receiving all the data to (and from) the common denominator (that is, it acts as an interface between the database internal of the electronic device and the common denominator). The data is not received or send directly into the internal database of the electronic device for greater protection of the data contained in the internal database.

1.3. Recognition of Iris and Ocular Retina:

The use of the human eye in the identification of people has given rise to two different biometric techniques, one based on the characteristics of the ocular iris, and the other that uses the characteristics of the retina. They only have in common that they serve as the same organ, the human eye, however they give rise to two completely different types of biometric systems, both in the methods of image capture and techniques for extracting characteristics and in comparison methods.

Biometry based on the iris pattern is characterized by high stability and discrimination power. The texture of the iris is very useful due to its permanent and unalterable character, showing a high variation between classes and low intraclass variation, which has given it the status of one of the most reliable biometric methods, because the probability of finding two individuals with an identical iris pattern they are almost nil. In this case, the potential of the iris to obtain the identification marker lies in a series of characteristics of its own, stability against changes being an individual detection mechanism, the capture of data (image) non-invasively. The iris is a molecular structure that adapts the opening of the pupil depending on the amount of light that arrives, and whose singular details give it a peculiar character. The iris should not be confused with the retina that is inside the back of the eye protected from the outside by the cornea.

The iris recognition is based precisely on the fact that, due to inherent characteristics of its morphology, it presents cracks, grooves or striae, among other characteristics that make up a highly rich texture in details. This texture formed in the embryonic stage is stochastic, which determines that the phenotypes of two irises with the same genotype, joint such as identical and Siamese twins, present uncorrelated details. The iris therefore has certain special characteristics that give it great potential for its application in biometric systems. The amount of information presented by this biometric indicator is so considerable that it allows the identification of individuals through non-invasive procedures and that additionally develops at prudential distances and without environmental restrictions with very safe results, which allows the implementation of verification and identification systems applicable to real conditions. The iris, like the retinal vasculature, has a unique structure per individual formed a very complex system, so that the probability of finding the possibility of finding two identical individuals is 1 in 16 million. It also remains unchanged throughout the person's life, and logically this is the main factor that provides that the iris is a feature of high performance by biometric systems. In addition, we find the factor that this structure contains a large amount of information, very favorable for biometric analysis since it contains 266 distinctive characteristics, among which is the trabecular meshwork.

Below we will list in more detail some of the factors that make the iris suitable for the construction of the new marker:

• Invariability; The iris pattern remains unchanged. It does not degrade with the passage of time or with the environment. This assumes that the pattern or signature that is initially stored can be used throughout life, since it is stable from about eighteen months of age.

• The cornea, thanks to its transparency, allows to make the iris visible from the outside. It is the only internal organ that has this characteristic.

• Oneness; The iris patterns are more complex and random than other biometric patterns, which offers a highly accurate method for an individual's authentication.

• An important feature to avoid possible falsifications is that, even with uniform illumination, the iris presents small variations in its aperture, this feature allows us to exploit the identification methodology or technology since it allows to capture if the detected individual is a living subject, avoiding possible frauds, such as when submitting a photograph to the proposed system.

As we have mentioned previously, it is a non-invasive identification method. Even the system is invariable to the use of contact lenses or glasses, since these elements do not modify the structure of the eye. In the current situation where security applications are increasingly necessary, it is vitally important to develop this methodology or technology whose implementation does not represent an inconvenience for people, nor does it pose a danger to the integrity of people. The amount of information that can be obtained is significantly greater than what can be obtained from fingerprints. And although its accuracy is less than that presented by DNA, the identification of the iris is a fast and accurate method. From now on, for simplicity, the explanation will focus on identification by recognition of Iris instead of the ocular retina, but that the processes to follow are equivalent; so what is explained below about identification by recognition of Iris is applicable to recognition by ocular retina.

As in the previous markers (speech recognition and facial recognition), the process of extracting the biometric characteristics is done in the electronic device and the biometric patterns are stored in the data bases of the device itself and in the denominator common, for its later analysis and training of the obtained patterns, for the correction of possible errors. Once the biometric pattern has been obtained (in this case, data from the user's face), the processing is done in two environments: The electronic device (Mobile Terminal, Tablet, Pe, etc.) and the so-called Common Denominator (Operators, Suppliers of Services, etc.).

In the proposed solution, the identification process is carried out in two phases, in the first phase the individual is identified in the electronic device, before performing any type of operation with the electronic device. In the second phase, in parallel, the individual (the user who uses the electronic device to access the network) is identified together with the electronic device in the network operator (common denominator), before the user can access the network . If any of these two identifications does not give a positive result, the user will not be able to access the resources of the network. That is, in the first phase the user accesses the electronic device to perform a first ID. In the second phase, the electronic device communicates with the network operator (through the first network segment) to perform an identification of the user and the electronic device itself, in order to grant access to the services and resources of the network. network (since to obtain the service, it has to be identified before it occurs). Therefore, as far as security is concerned, this identification becomes more robust since the verification of this data is not on the Internet or on any other platform. To be more clear, we can say that this identification is made in the first segment of the network (although if the first network segment does not have enough processing resources or enough data it may have to consult other nodes of the network). Therefore, in order to interact with the electronic device or devices, it is necessary for the individual to identify himself.

To illustrate the iris recognition system, the block scheme shown in Figure 1 can be used, since most blocks and functions are repeated. In fact, the explanations that have been included above about how the proposed identification procedure works for the case of voice recognition and facial recognition are for the most part extrapolated for the case of iris recognition. Of course, the user's input signal would not be a voice signal as in Figure 1 but an image or scan of the iris.

The proposed recognition system is constituted, like the previous ones, by two main stages, the training or learning stage and the identification and verification stage of the individual's identity. In the first stage of training (1 12), the system generates the models from the iris data extracted from the people (users) that interact with the electronic device (100), these models are pre-processed by the electronic device ( 100) and the common denominator modules (1 10), generates the corresponding patterns and stores them in the internal database of the electronic device (123) and in the internal database of the common denominator (123). This training is not only done at the beginning but it has a continuous improvement since, every time an individual wants to access the electronic device and it must be identified in it (next step that we will explain below), the biometric data collected from the individual are sent by the electronic device to the Common Denominator and there these data are again processed (101 a) to improve the saved patterns for that authorized individual and those improved patterns are stored (123f) and in addition, they are sent back to the internal database of the electronic device for use in subsequent identification.

In the identification and verification stage, the system determines the identity of the person under analysis and verifies its identity from the user's iris image (also called the user's signature) in order to build the marker, using the models (patterns) stored in the internal database (123).

The first step for the identification of the user is to obtain the biometric features thereof (in this case, an image or a scan of his iris), once the image has been obtained through the electronic device (100), the image received it is detected (101) and pre-processed (this processing module would take the place of the acoustic processing module 102 of Figure 1). In this stage all the data that can get to contaminate the captured image is eliminated. Once the pre-processing stage determines that the image obtained corresponds to an eye (for example, by iterative analysis of the intensity gradient in circular crowns), the extraction of characteristics is carried out (this extraction module would take the place of the language analysis module 103 of Figure 1) using for example, the following techniques based on mathematical models or algorithms, FCN, K-Means, Gabor or any other known technique. After obtaining the characteristic vectors (patterns) of the user's iris in the previous step, the comparison of patterns (123a) of the data obtained with the stored data is carried out. This is done in the internal database (123) of the electronic device (and preferably also of the common denominator). The process of comparing input patterns (of images) with the patterns (also called signatures) of stored images allows the identification and verification of the identity of the individual to proceed. As indicated above, in the training and learning process, a model (pattern) is generated for each person who has had access to the system and is stored. Comparing the data obtained with the stored data identifies each user that interacts with the electronic device. This is done in the signature model module (123b). Then, there may be a verification module (123c) where they verify that the data obtained have been correctly compared (for example, by repeating the comparison and seeing that it gives the same results), therefore verify the information. Once the data obtained has been compared with the signatures (patterns) stored in the database, depending on the error that is generated from that comparison, the result can be Identified Individual (without errors), Identified Individual with errors or Unidentified Individual . For the difference between an individual identified without errors and with errors, the same applies as explained in the section on

Speech recognition. Likewise, the generation of markers and codes, according to the individual has been identified without errors, with errors or not identified, is done in the same way that has been explained for the Voice Recognition and Facial Recognition, so it is not I need to explain it again here.

The electronic device can send to the common denominator all the data received from the user as well as the generated markers. The common denominator can compare the marker generated by the electronic device with the standard marker for said user (generated with the data previously stored for said user); that is, the common denominator has a copy of the marker that ideally corresponds to that user and compares it with the received marker. This is done in the Marker Identification module (123d). Or you can even repeat the identification and verification steps (123 b and 123c) in the Common Denominator to generate the marker again and compare it with the marker received from the electronic device. If the markers do not match (or the match is less than a predetermined threshold) access can be denied or even the marker generated by the corrected electronic device.

In addition, the Common Denominator processes all the data received to improve the different elements such as stored patterns, the methods of comparison and verification, the methods of processing the input signal ... and this will be communicated to the electronic device in order to improve the process identification for the next occasion. The common denominator (1 10) is responsible for learning from all data received by the electronic device, in addition to identifying both the legitimate individual and the electronic device in all services associated with the individual. It should be noted that in the common denominator not only the individual is identified (as is done in the electronic device) but also the electronic device is identified and that identification can be associated with that of the individual (user) that is using said device. As it happened in the voice recognition system, there is an external database (124) that is responsible for sending and receiving all the data to (and from) the common denominator (that is, it acts as an interface between the database internal of the electronic device and the common denominator). The data is not received or sent directly to the internal database of the electronic device for greater protection of the data contained in the internal database.

1.4. Fingerprint Recognition:

Fingerprint recognition is a biometric identification method that is easy to use and is the most accepted by most users. Fingerprints are unique characteristics of people, which are formed after the sixth week of intrauterine life and do not vary in their characteristics throughout the life of the individual. They are constituted by ridges that form protrusions (papillary crests) and depressions (interpapillary furrows). The pattern followed by the lines and grooves of a trace can be classified into three major features; bow, loop and spiral. Each finger has at least one of these characteristics. On the other hand, at certain points the lines of the fingerprint are cut sharply or bifurcate. These points are called minutiae, and together they account for almost 80% of the unique elements of a trace. All this gives rise to a unique complex pattern for individual, different even in identical twins. In particular, the probability that two people have the same fingerprints is approximately 1 in 64,000 million. Even if it were the case that two people have the same fingerprint pattern, in this proposed methodology or technology, the only thing that is extracted are the specific markers of this biometric technology, in order to use a marker, in this case the fingerprint, to build the identification of the individual. The fingerprint is used successfully throughout the world for the identification of people by different organisms since it complies with the properties of Permanence (They do not change their characteristics over time),

Unicity (They always differ, they are unique and unrepeatable for each individual), Universality and Quantification: The characteristic can be measured quantitatively.

The fingerprints have visible characteristics such as ridges, furrows, minutiae, the nucleus and the delta. The most interesting feature of both the minutiae and the singular core and delta points is that they are unique to each individual and remain unchanged throughout their lives. Despite the variety of minutiae, the most important are the terminations and bifurcations of crests. The latter is due to the fact that the ridge terminations represent approximately 80% of all the minutiae of a trace.

When a fingerprint is digitized, the details related to the lines (curvature, separation, etc.), as well as the absolute and relative position of the extracted minutiae, are processed by means of algorithms that allow obtaining an alphanumeric index corresponding to said fingerprint. In broad strokes, the stages of operation of the recognition by fingerprint are usually the following:

Data acquisition; In this stage, the starting data (fingerprint) is collected through the sensor of the electronic device (usually the data collected is analog and is converted in this stage in digital format.) This process is determinant since the amount and quality depend on it of the information acquired, the implementation of the following stages, and, therefore, the final result obtained.

Pre-processed; The data obtained is processed and in some cases it is necessary to prepare the data to eliminate possible noises or distortions produced in the acquisition stage, or to normalize the information to specific features to have a greater effectiveness.

Feature extraction; In this stage, information that is not useful in the recognition process is eliminated, either because it is not specific to each individual or for being redundant. In this way, only those characteristics that discriminate between different individuals are extracted and that at the same time they remain unchanged for the same person.

Once the characteristics are extracted, a model or signature or pattern is drawn up that represents the individual whose fingerprint has been extracted and which allows the evaluation of the correspondence between the entry patterns and the model (pattern) of the particular individual stored in the bases. of data. These processes are performed in the electronic device and the biometric patterns are stored in the databases of the device itself and in the common denominator, for further analysis and training of the patterns obtained, for the correction of possible errors.

Once the biometric pattern of the user who wants to access the information or the network (in this case, his fingerprint) is obtained, the processing is done in two environments: The electronic device (Mobile Terminal, Tablet, Pe, etc.) and the so-called common Denominator (Operators, Service Providers, etc.).

In the proposed solution, the identification process is carried out in two phases, in the first phase the individual is identified in the electronic device, before performing any type of operation with the electronic device. In the second phase, in parallel, the individual (the user who uses the electronic device to access the network) and the electronic device in the network operator (common denominator) is identified before the user can access the network. If any of these two identifications does not give a positive result, the user will not be able to access the resources of the network. That is, in the first phase the user accesses the electronic device to make a first identification.

In the second phase, the electronic device communicates with the network operator (through the first network segment) in order to identify the user and the electronic device itself, in order to grant access to network services and resources ( since to obtain the service, this has to be identified before being produced). Therefore, as far as security is concerned, this identification becomes more robust since the verification of this data is not on the Internet or on any other platform. To be clearer, we can say that this identification is made in the first segment of the network (although if the first network segment does not have enough processing resources or enough data may have to consult other nodes in the network). Therefore, in order to interact with the electronic device or devices, it is necessary for the individual to identify himself. To illustrate the fingerprint recognition system, the block scheme shown in Figure 1 can be used, since most blocks and functions are repeated.

The main difference in this case is that in the common denominator the processing of the data obtained is not performed every time an identification is made, as will be explained below. Of course, the user's input signal would not be a voice signal as in Figure 1 but an image or a scan of the fingerprint.

The proposed recognition system is constituted, like the previous ones, by two main stages, the training or learning stage and the identification and verification stage of the individual's identity. In the first training stage (112), the system generates the models from the data extracted from the fingerprint of the people (users) that interact with the electronic device (100), these models are pre-processed by the electronic device (100) and the common denominator modules (110), generates the corresponding patterns and stores them in the internal database of the electronic device (123) and in the internal database of the common denominator (123). In contrast to facial or voice recognition, in the case of the fingerprint, the fingerprint data is not variable over time; They are also much more determining, simple and easy to extract data than in the case of facial, iris or voice recognition. Therefore, for the fingerprint does not require continuous training (as was done in recognition by voice, iris or facial), processing again the fingerprint data of the individual in the Common Denominator each time an identification is made to improve the saved patterns for that individual, since these patterns are invariable and are already sufficiently clear and complete with the initial training phase.

In the identification and verification stage, the system determines the identity of the person under analysis and verifies their identity from the user's fingerprint (also called the user's signature) to be able to build the marker, using the models (patterns) stored in the internal database (123).

The first step for the identification of the user is to obtain the image or scan of the footprint thereof, once the fingerprint data has been obtained through the electronic device (100), the data is received in the admission module of the user. data or detection (101) and pre-processing (this processing or pre-recognition module would take the place of the acoustic processing module 102 of Figure 1). In this stage the possible noises or distortions produced in the acquisition stage are eliminated. Once all the information of the data obtained has been processed, the extraction of characteristics is carried out (this extraction module would take the place of the language analysis module 103 of Figure 1), in this stage the information that it is not useful in the recognition process and only the determining characteristics will be extracted, using for example, the following techniques based on mathematical models or algorithms MINDTCT, Bozorth3, Bresenham, Hough Transform or any other known technique.

After obtaining the characteristics vectors of the user's footprint in the previous step, the comparison of patterns (123a) of the data obtained with the stored data is carried out. This is done in the internal database (123) of the electronic device (and as we will see below preferably also of the common denominator). The process of comparing input patterns (of fingerprints) with the patterns (also called signatures) of stored images allows the identification and verification of the identity of the individual to proceed. As indicated above, a model (pattern) of the footprint of each person who has had (authorized) access to the system and stored is generated in the training and learning process. Comparing the data obtained with the stored data identifies each user that interacts with the electronic device. This is done in the signature model module

(123b) Then, there may be a verification module (123c) where they verify that the data obtained have been correctly compared (for example, by repeating the comparison and seeing that it gives the same results), therefore verify the information. Once the data obtained has been compared with the signatures (patterns) stored in the database, depending on the error that is generated from that comparison, the result can be Identified Individual (without errors), Identified Individual with errors or Unidentified Individual . For the difference between an individual identified without errors and with errors, apply the same thing that has been explained in the section of voice, facial or iris recognition. The generation of markers and codes, according to the individual has been identified without errors, with errors or not identified, is done in the same way that has been explained for voice, facial or iris recognition, so it is not necessary explain it again here.

The electronic device can send to the common denominator all the data received from the user as well as the generated markers. The common denominator can compare the marker generated by the electronic device with the pattern marker for said user (generated with the data previously stored for said user, during the training phase); that is, the common denominator has a copy of the marker that ideally corresponds to that user and compares it with the received marker. This is done in the Marker Identification module (123d). Or you can even repeat the identification and verification steps (123 b and 123c) in the Common Denominator to generate the marker again and compare it with the marker received from the electronic device. If the markers do not match (or the match is less than a predetermined threshold) access can be denied or even the marker generated by the corrected electronic device.

The common denominator (110) can be responsible for learning from all data received by the electronic device, in addition to identifying both the legitimate individual and the electronic device in all services associated with the individual. It should be noted that in the common denominator not only the individual is identified (as is done in the electronic device) but also the electronic device is identified and that identification can be associated with that of the individual (user) that is using said device. As it happened in the rest of the recognition systems, there is an external database (124) that is in charge of sending and receiving all the data to the (and the) common denominator (that is, it acts as an interface between the database) internal of the electronic device and the common denominator). The data is not received or sent directly to the internal database of the electronic device for greater protection of the data contained in the internal database.

1.5. Recognition by Chip:

Another way to identify an individual is the use of a chip implanted in the individual (for example a subcutaneous chip or any other type). Said chip can use any communication technology; preferably said technology will be communication at close range, such as Near Field Communication technology or NFC ("Near Field Communications"). NFC is a short-range bidirectional wireless communication technology (up to 10 centimeters) that is based on different protocols such as Radio Frequency Identification (RFID). Specifically, the standards on which NFC is based are, for example, ISO-14443 and JIS X 6319-4.

NFC operates in the high frequency spectrum 13.56Mhz and supports different information ratios. NFC differs from other high frequency RFID technologies in several aspects such as that the NFC communication is bidirectional, the communication distance is 19 centimeters (versus one meter) and does not allow the simultaneous reading of more than one element. NFC also defines three modes of operation:

Point by point; in this mode, two NFC devices communicate directly with each other. It is the mode typically used for the exchange of data, credentials for the establishment of a secure network link, or exchange of any type of information.

Reading writing. This mode allows you to communicate with a memory structure to store or read information.

Emulation; this mode allows communication between two NFC devices, one of them acting as a smart card with NFC capability. This emulation can be either via hardware, through a dedicated device, or via software, where the emulation is done from an application that runs inside the operating system of the electronic device.

The characteristics of this technology and the great advantages it provides are, among others, greater security in the transfer of data (since due to its short-range communication it is more difficult for data to be intercepted by third parties), that communication between devices is done quickly and easily (simply with proximity, without the need for any configuration) and thanks to its three modes of operation, this technology is applicable to a wide variety of areas. For this proposal, the use of this technology is for the extraction of an identification marker of an individual who wants to access a network (or generally speaking to a service) through an electronic device, to authenticate said individual.

In one embodiment of the present invention, a chip (preferably using NFC technology) implanted in the individual is used to communicate with the electronic device within the existing standards. The mode of operation for this communication will be passive. The electronic device (initiator) will generate an electromagnetic field and the chip implemented in the individual will communicate with it by modulating the received signal. In this way, the chip obtains the necessary energy to operate the electromagnetic field generated by the electronic device (initiator). The communication between the electronic device and the chip of the individual is done with an encrypted communication, using one or more secure protocols such as data exchange with authorization, called PACE (Password Authenticated Connection Establishment, Authenticated Password Connection Establishment). That is to say, an encrypted exchange of data takes place between the chip and the electronic device, which prevents the unauthorized reading and the subsequent decryption of the data communication. The data obtained from the chip (which must contain an identification of the individual) by the electronic device are stored in the databases of the device itself and in the common denominator. Once the information has been obtained of the chip of the individual, the processing is done in two environments: The electronic device (Mobile Terminal, Tablet, Pe, etc.) and the so-called common Denominator (Operators, Service Providers, etc.). In the proposed solution, the identification process is carried out in two phases, in the first phase the individual is identified in the electronic device, before performing any type of operation with the electronic device. In the second phase, in parallel, the individual (the user who uses the electronic device to access the network) and the electronic device in the network operator (common denominator) is identified before the user can access the network. If any of these two identifications does not give a positive result, the user will not be able to access the resources of the network. That is, in the first phase the user accesses the electronic device to make a first identification. In the second phase, the electronic device communicates with the network operator or service provider (through the first network segment) to perform an identification of the user and the electronic device itself, to proceed to grant access to the services and network resources (since to obtain the service, it has to be identified before it occurs). Therefore, as far as security is concerned, this identification becomes more robust since the verification of this data is not on the Internet or on any other platform.

To be more clear, we can say that this identification is made in the first segment of the network (although if the first network segment does not have enough processing resources or enough data it may have to consult other nodes of the network). Therefore, in order to interact with the electronic device or devices, it is necessary for the individual to identify himself.

In Figure 2, the mechanism proposed to obtain this biotechnological marker is schematically represented. Unlike the solutions described earlier in this document, in order to obtain this new biometric marker, the interaction of an element (chip) that has been implanted in the individual is necessary to proceed with the identification thereof. The identification of the individual to subsequently create the necessary marker, consists of several stages, the first stage is the discovery (150) between the chip of the individual and the electronic device, ie in this stage the one another (their electromagnetic fields) for their recognition. Once the discovery (150) has proceeded successfully, the next step is the authentication of the chip data (150a). In this stage it is verified that both the chip implanted in the individual and the electronic device are authorized for communication between them and the encryption thereof is established, using any encryption method for the integrity of the communications. To do this, a query is made to the database (123) of the electronic device, where it is verified that the chip is registered in the database. At this point, if the chip is not registered in the database, it will not continue with the negotiation, but if, on the contrary, the chip is registered in the database, the negotiation will continue. Once it has been verified that the chip is registered in the database of the electronic device, it is negotiated (150b) and defines parameters such as the transmission speed, the identification of the device and the action to be requested. Once the parameters for the communication have been negotiated, the next step is the transfer (150c), at this stage the chip implanted in the individual sends his identification number. Once the chip has transferred the data to the electronic device, it sends a confirmation (150d) to the chip of the establishment of the communication and data transfer. This is done each time the individual interacts with the electronic device and is usually prior to the confirmation of the identification of the individual.

The identification number will be contrasted with the database of the electronic device (123) to see if said individual is registered as an individual with authorized access or not. Comparing the identification data of the individual with the stored data of registered users identifies each user that interacts with the electronic device. This is done in the identification module (123b). Then, there may be a verification module (123c) where they verify that the data obtained have been correctly compared (for example, by repeating the comparison and seeing that it gives the same results), therefore verify the information. Once the verification of the identification number and, optionally, its verification, the marker (123d) that will be used for construction of the identity proposed in the present invention is generated. If the individual is correctly identified (ie, the identification number of the individual stored on the chip, was in the internal database as authorized access) the system constructs a marker (123d) that contains the code (which includes a message of "Start", Begin) of identification of legitimate individual. These codes are preferably hash codes for identification, verification, authentication and authorization (User / Password), which serve to access the electronic device, the network and the services associated with the individual; This marker is one of the markers used in the multiple factor ecosystem proposed in the present invention. This code is unique for each individual that interacts with the electronic device, the procedure (hash) that is used to construct the code is an algorithm that transforms the data into a series of characters with a fixed length. This code is a fixed code assigned to each user but unknown to the user. If, on the other hand, the user is not registered, therefore it can not be identified, the system will build a marker (123d) that will contain a code with a "Stop" message and will not be able to access the electronic device. This code will be sent to the common denominator (1 10) to later be analyzed. Here, unlike the other cases, there is no situation of identifying the user with errors, since we are not working with vectors of biological characteristics (voice, facial image ...) that are complex and in which we can give a greater or lesser coincidence with the stored pattern, but in this case with an identification number stored on a chip and in this case, or that number is registered in the database or is not registered. All the identification data obtained, (among others the generated marker), are sent to the database of the common denominator (11 11). This data is sent by the database of the external electronic device (124) who is in charge of establishing the communication channel using the standard encryption methods for the integrity of the communications. The common denominator can compare the marker generated by the electronic device with the standard marker for said user (generated with the data previously stored for said user); that is, the common denominator has a copy of the marker that ideally corresponds to that user and compares it with the received marker. This is done in the Marker Identification module (123d), which can also repeat the identification and verification stages (123 by 123c). If the markers do not match (or the match is less than a predetermined threshold) access can be denied or even the marker generated by the corrected electronic device.

Sending the marker generated by the electronic device to the common denominator is done both when using this biometric technique (with recognition per chip implanted in the user) and when using any other (facial recognition, voice, microbiome, fingerprint ...). This allows the checking, identification and verification of the markers in the common denominator. It should be noted that in the common denominator not only the individual is identified (as is done in the electronic device) but also the electronic device is identified and that identification can be associated with that of the individual (user) that is using said device.

1.6. Recognition by Microbiome:

The human microbiome refers to the community of microorganisms that live in the body of an individual or human. This expression is also used to refer to the set of genomes of said community of microorganisms. Despite being such an important part of our body, the microbiome is one of the great unknown of our biology.

The Human Microbiome Project (HMP) uses metagenomics in conjunction with more traditional sequencing approaches, in order to uncover the unknown related to these microorganisms. The majority of microorganisms in our body have not been isolated as viable specimens for analysis. In addition, among the few components of the microbiome that have been isolated, genetic marker analysis and expression patterns have rarely focused on the relationship between species or interactions between the microorganism and the host, in this case the individual (human). For the construction of this marker in the authentication system in the present invention, metagenomics will be used. Metagenomics is a field that seeks to obtain genome sequences of different microorganisms, bacteria (in this case), which make up a community, extracting and analyzing their DNA globally, with this methodology, it is possible to directly sequence the genomes of microbes, without the need to grow them. In other words, metagenomics constitutes a new field of analysis based on the most recent DNA sequencing technologies that allow the analysis of complete populations of microorganisms without the need to isolate each one separately. Instead of studying separately the genome of each of the microorganisms of a population, metagenomics analyzes the genome of all the organisms of a population at the same time. The objective in this case is not so much the information related to the biochemistry and the metabolism of the organism, but rather the obtaining of particular marks or patterns that distinguish the species present in the sample. Metagenomics also serves to study the response of a certain community of microorganisms to certain factors and to check how the set of genomes of said communication is modified in response to different stimuli. The latest studies on the microbiome, show that the breath of an individual leaves the trace of its microbial cloud, to the point of being able to identify the individual only by the bacteria exhaled in the breath, after the process and the analysis of sequences that represent to thousands of bacteria of different types, the samples obtained were statistically different and identifiable, and in each of the samples a different bacterium was predetermined.

In an embodiment of the present invention, the data obtained from the microbiome sequencing through the microbial cloud of an individual will be used, and parameterizing this data by individual, to obtain the unique data chain of each individual and thus be able to construct the Identification marker that in turn will be part of the identification and authentication code between an individual or human and an electronic device. All the data obtained from the microbiome sequencing, will be stored in the internal database of the common denominator that in turn will exchange information through the database external of the electronic device, these data will be parametrizable for each identification code of each individual.

The process of this microbiome sequencing will preferably be carried out with the DNA chip devices that are in the common denominator.

Once all the information is processed, it will be stored and parameterized in the internal database and in the knowledge base. This internal database will contain all the information of the association or link of the individual and the electronic device and the unambiguous data of the individual will be extracted.

Obtaining the cloud of microbial particles can be done through an electronic device or through a third party, as will be explained below.

Through the electronic device: The safest and most reliable way to obtain the microbial particle cloud is through the use of a transport vehicle, ie an electronic device, without the need for third parties in the process. In this case, the electronic device will collect a sample of the particles from the microbial cloud and this will be sent to the data center of the common denominator to massively process and sequence the sample of the microbiome (since the electronic device usually does not have the resources computational skills needed to perform this task). Once the sample has been processed and sequenced, the necessary data will be obtained for the identification of the unique signature (also called unique code) for each individual. Normally identification by microbiome is used in conjunction with another of the identification procedures that have been explained (voice, facial ...). This prior identification can be used to associate a specific microbial cloud to a specific user, during the training process.

This signature of the unique microbiome will be sent to the electronic device through the external database of the electronic device so that it in turn is included in the internal database and thus be able to generate the identification marker. Once the marker has been generated, this will be part of the identification code between the individual (human) and the electronic device. In figure 3, the mechanism proposed to obtain this biometric / biotechnological marker is represented schematically, which is composed of several main stages. The first stage is the taking of data from the microbial cloud of the user in the electronic device (100) for further analysis (usually in the common denominator 11 1). Another stage is that once the microbial particles are massively processed and sequenced, the signature of the individual is extracted for identification and another stage consists of training and learning (1 12) of the system proposed to equip the system greater fluidity when processing and comparing the data obtained and to reduce the possible limitations when checking data.

When using the electronic device (100) for example through the voice, the individual exhales the bacteria by the breath; These particles of the microbial cloud are detected by the detection module (160), which sends the detected information to the particle container module (161) of the electronic device (100). This information collected is sent to the internal database (123), which in turn sends them to the common denominator through the external database (124) (which is in charge of establishing the communication channel with the denominator common using standard encryption methods for communications integrity). The communication technology used can be wireless broadband (11A) or guided / wired (11B).

The data received is sent to the database of the common denominator (123), which is in charge of sending the data to the processing module of the microbial particle cloud (165) to sequence and massively separate all the bacteria from the sample obtained. Once the received data is sequenced, they are transformed into digital data, with the digital data obtained, this data is sent to the feature extraction module (162). In this stage, the data obtained from the individual is separated, and all the characteristics are extracted, for which mathematical models or algorithms are used (162a). As we have indicated, this process of extracting characteristics from the microbial cloud is normally done in the common denominator although, if it has sufficient processing capacity it can also be done in the electronic device (for that, in Figure 3, modules 162 and 162a are also included as an optional possibility in the electronic device).

The extracted characteristics are compared with the data of the knowledge base (166), to delimit the chain of data that are identifying the individual (much of the extracted data are common to all individuals and only a small part is the one that it is different from one individual to another and therefore serves to identify the individual). Once the unique data of the individual has been recognized, that is, the unique and unambiguous signature of the individual has been obtained, the signature or pattern is sent to the database of the electronic device (123) that will compare it with the pattern you have stored for the creation of the marker.

The proposed recognition system will be constituted in the same way as the previous system (chip recognition), by two main stages, the training or learning stage and the identification and verification stage of the individual's identity. In the first stage of training (1 12), the system generates the models from the microbial cloud of the people (users) that interact with the electronic device; As explained above, the common denominator will process and sequence the information about the individual's microbial cloud (which will have sent the electronic device) to generate the corresponding microbial signature or pattern and store it in the internal database of the electronic device ( 123) and in the internal database of the common denominator (123). This training is not only done at the beginning but it has a continuous improvement since, every time an individual wants to access the electronic device and it must be identified in it (next step that we will explain below), the biometric data collected from the individual they are sent by the electronic device to the Common Denominator and there these data are again processed to improve the saved patterns for that individual and those improved patterns are stored and they are also sent back to the internal database of the electronic device for use in subsequent identifications. In the identification and verification stage, the system determines the identity of the person under analysis and verifies its identity from the user's microbial signature in order to construct the marker, using the models (patterns) stored in the internal database ( 123). The first step for the identification of the user is to obtain the information about his microbial cloud in the electronic device; this information will be sent to the common denominator that will process it, sequence and keep the differentiating part and send it back to the electronic device. After obtaining the microbial signature that characterizes the individual who is trying to access, it will be sent back to the electronic device where the comparison of patterns (123a) of the data obtained with the stored data is carried out. This module belongs to the internal database (123) of the electronic device (and preferably also of the common denominator). The process of comparing the entry patterns with the stored microbial patterns (also called signatures) allows the identification and verification of the identity of the individual to proceed. As indicated above, in the training and learning process, a model (pattern) is generated for each person who has had (authorized) access to the system and is stored. Comparing the data obtained with the stored data identifies each user that interacts with the electronic device. This is done in the signature model module (123b). Then, there may be a verification module (123c) where they verify that the data obtained have been correctly compared (for example, by repeating the comparison and seeing that it gives the same results), therefore verify the information. If the electronic device does not have sufficient capacity to make this comparison, it will be done in the common denominator.

Identified with errors (anomalous identification) or Unidentified Individual. For the difference between an individual identified without errors and with errors, the same applies as explained in the section on Speech Recognition. The generation of markers and codes, according to the individual has been identified without errors, with errors or not identified, it is done in the same way that has been explained for the Voice Recognition, so it is not necessary to explain it again here. The electronic device can send the generated markers to the common denominator. The common denominator can compare the marker generated by the electronic device with the standard marker for said user (generated with the data previously stored for said user); that is, the common denominator has a copy of the marker that ideally corresponds to that user and compares it with the received marker. This is done in the Marker Identification module (123d). Or you can even repeat the identification and verification steps (123 by 123c) in the Common Denominator to generate the marker again and compare it with the marker received from the electronic device. If the markers do not match (or the match is less than a predetermined threshold) access can be denied or even the marker generated by the corrected electronic device.

In addition, the Common Denominator processes all the data received to improve the different elements such as stored patterns, the methods of comparison and verification, the methods of processing the input signal ... and this will be communicated to the electronic device in order to Improve the identification process for the next occasion. The common denominator (11 1) is responsible for learning from all data received by the electronic device, in addition to identifying both the legitimate individual and the electronic device in all services associated with the individual.

With this process or methodology, it is possible to generate a signature that contains the bacteria of each perfectly identified individual, in order to build the proposed marker. In addition to the substantial advantage that this technology or methodology has, to uniquely identify an individual by the bacteria contained in his microbial cloud, the small alterations that this microbial signature suffers over time can be used for the early detection of diseases or affections The temporary knowledge base (166) that the system creates from all the signatures repeated in the time of a Individual can be used, using artificial intelligence techniques and automatic learning (112), for the inference of a multitude of data related to the health of the identified individual. Some of this information can or will be shared with third parties (167) such as entities of health systems or health systems, for the early detection of any type of alteration or disease. Health systems are organizations or entities that provide health services (hospitals, health centers, pharmacies, professional officials and public health services) as well as other networks, sectors, institutions, ministries and organizations that have a definite influence on the ultimate goal of the health system. system. Depending on the type of electronic device and its processing capacity, the entire proposed methodology of extracting the individual's microbiome signature (also called bacteria signature), may be initially performed on the electronic device, if it has sufficient capacity ( therefore in figure 3, the possibility is also pointed out that the electronic device has an extraction module, but this does not mean that the extraction is done both in the device and in the denominator, but it means that it can be done in one or the other).

Through a third party: To obtain this microbial marker, it can be done without the need to use an electronic device (100) as a transport vehicle, that is, it can be obtained with the intervention of third parties (167), such as example entities of health systems or health systems. Therefore the data of each of the individuals can be analyzed, massively sequenced in one of these third parties (167) and, once the data has been sequenced, these patterns can be processed and contrasted in the laboratories of the third parties. parts, or it can be processed in the common denominator (1 10). The difference of the processing of one or the other, is that if the processing of this data is done in laboratories external to the common denominator, in the transport to said common denominator, they may be susceptible to any alteration or modification of said process since the data they have not been obtained natively. If, on the contrary, the processing has been carried out in the common denominator, the data obtained are "native" since for the obtaining and construction of the patterns or signature of bacteria no external nodes have intervened nor has any information of the signature been transmitted outside the common denominator. This means that the data has not been susceptible to any alteration or modification.

Once the data has been processed and the patterns (signatures) of the individual have been obtained (either from the electronic device or from third parties), it is compared with the single stored pattern to generate the corresponding marker, in the same way as has explained for the previous case where the obtaining of the cloud of microbial particles was made in the electronic device. 2. Construction of identity.

With the generation and association or linking of these markers, the identification of the individual is built when accessing an electronic device, either off-line or on-line, this identification has three fundamental objectives:

- Unambiguous identification of the individual behind the electronic device: With the biometric and biotechnological characteristics (also called attributes or factors) explained above, the univocal identification of the individual is achieved, without the need for the use of any document or form to proceed to Identify the individual. By using different factors for the identification of the individual, greater security, integrity and identification robustness is achieved, since to supplant the individual it would be necessary to supplant many of the morphological data of the individual.

- More secure credentials (password) to access the systems, services and resources of the network: Another objective is the credentials

(password) to access network systems and resources. The main problem with credentials is that, to remember them more easily, the user usually uses the same types of password for all types of accounts, with the consequent danger of security. In this case and with this proposed methodology, the individual does not recognize or know the credentials (password) to access the system, but instead the credentials are generated automatically and are linked to the created markers (in fact, in a preferred embodiment these markers contain the individual's credentials); therefore the integrity of credentialing policies is much safer.

Minimize human error: As already described above, humans (ie individuals / users) are the weakest link in security, since many of the possible security attacks require the intervention (voluntary or not) of the user . Here we meet several types of people, those who do not have technological knowledge, therefore they are unaware of the dangers of having a weak password, the clueless and those who have technological knowledge, therefore they know the dangers, but even so, they are susceptible to make a mistake. What this invention aims, among other things, is to provide the necessary security mechanisms when establishing communication between an individual and electronic devices. In order to identify the individual correctly and without any security vulnerability, the different markers obtained will be used (based on the different biometric / biotechnological recognition methods used, such as those explained above). These markers are the morphological signatures of the individual and, as is logical, we must ensure that these signatures are as correct as possible. For this, a fault reputation system (which can also be called control or fault minimization) can be implemented when comparing the patterns or signatures by the database of the electronic device and the common denominator. Once all the morphological data of the individual has been collected and contrasted with the database of the electronic device, the identification of the individual will proceed univocally.

The proposed structure is based on these four stages:

• Morphological markers (biometrics and biotechnology).

• Cryptographic Hash Function.

· Offline (user) credentials.

• On-line credentials (user and electronic device).

The first step consists, as explained above, in generating the different markers from the data extracted from the user for its identification (which can be biometric characteristics, biotechnologies ...). For each method of recognition (identification) used, the corresponding marker will be obtained. Thus, these markers can be voice, facial marker, ocular recognition marker, fingerprint marker, identification marker by chip or NFC, microbiome marker ... A single marker or several can be used although, of course, how many more markers are generated and used (that is, the more recognition methods or, in other words, characteristics of the individual are used to identify it), the more difficult it will be to impersonate the individual. In one embodiment of the invention all the cited markers (voice, face marker, ocular recognition marker, fingerprint marker, identification marker per chip or NFC and microbiome marker) are used; in another embodiment at least three of these markers are used, although of course in other embodiments a greater or lesser number of markers may be used to identify the user.

Normally the content of said markers is encrypted (second stage). For this you can use different known methodologies. In a preferred embodiment the methodology used is the Cryptographic Hash function. The Hash function is a method to generate keys that uniquely represent a set of data. It is a mathematical operation to be performed on a set of data of any length. Therefore, the information contained in each marker (block) is registered once encrypted with the Hash function (which allows easy verification, but makes it unfeasible for a third party to recover the data contained in said block or marker). With this, the markers (information of the characteristics or features of the user) of an encryption are given before any communication is established. In a preferred embodiment the Hash functions that are applied are SHA-2 and SHA-3, but any others can be applied. The third stage is the unification of all the data contained in each marker (block) to identify the individual univocally that interacts with the electronic device (ie the individual that is behind the electronic device is identified). As already described above, this data is stored in the internal database of the electronic device and can be sent to the common denominator. If the data collected from the user (patterns obtained) does not correspond to the data stored in the electronic device (stored patterns for authorized users), the individual will not be able to interact with the electronic device. That is why this stage is called off-line identification, because the individual is identified to determine if he is given access to the electronic device (off-line) and not to give him access to the network (on-line), since for this last one, the chain of blocks will have to be built, as will be explained later. In an alternative embodiment, if several biometric / biotechnological features are used to identify the individual, access to the electronic device may be allowed if any of the identifications with one of the features is unsuccessful but others are.

In this third stage, the reputation reputation process of the markers obtained is initiated. To do this, we give more weight (reliability) to the markers (blocks) that have fewer failures when it comes to identifying the individual and will give less weight to the markers that have more failures. It is necessary that this fault reputation process be carried out at this stage, so that the next stage has more consistency and all possible vulnerabilities of the proposed system are purged. The proposed fault-based reputation model is designed to extract information about the behavior of the actors acting among themselves, that is between the individual and the electronic device, through the signatures or patterns that contain each marker (blocks) generated . These markers are analyzed to determine their reliability. The reputation of these markers (blocks) determines the degree of confidence that you have. The proposed reputation method is used by the electronic device and by the common denominator. This is done in order to determine the best way to solve a problem, with the generation of a solution with more probabilities of success among a possible set of solutions, where the markers (blocks) have the capacity to grant access to the electronic device and to the network services. To better explain how this reputation method works, a concrete example will be used. In said example, when the voice features and the identification through NFC chip obtained from the user are compared with the stored patterns (for example in the electronic device) for said user, it is detected that the data, signatures or patterns collected from the user (from which the corresponding markers will be generated) do not match the stored patterns. In other words, that the content of the markers generated for these two characteristics (voice and chip) will contain faults. In the other markers (facial, eye, fingerprint and microbiome) there is full coincidence. So, in this case, the reputation system gives these two markers less weight (reliability), that is, with a negative connotation. Therefore, when constructing the next stage, these two erroneous markers will be used, giving in any case less priority to the markers (blocks).

This can happen when the traits extracted from the individual do not coincide 100% (or in any case in a very high percentage) with the stored patterns but they coincide in more than a certain percentage that is marked with a threshold (for example 50%) it is considered that the individual has been identified but not perfectly (or in other words that has been identified but with errors). Even so, you can generate the corresponding marker but giving it less confidence. If the compared data coincide in less than a certain threshold (for example 50%) it is considered that the individual has not been identified and access is normally prohibited. Even in this case, the marker can be generated, although normally it is not done since the denial of access stops the entire identification procedure. The markers with errors when constructing the chain of blocks (of the English blockchain) of identification, will be able to be part of the chain of blocks but with less weight (for example they can be the last ones of the chain), or even, it can be Remove from the chain of blocks and not be part of it. The use of the marker for the construction of the chain of blocks is why, when verifying this chain in the common denominator, these blocks that can be illicit can be analyzed to perform forensic techniques on the data of the individual who has tried to impersonate to the legitimate individual. Once this stage has been completed, and the data received has been contrasted with the database containing the individual signatures or patterns; if the contrasted data are positive, the individual is identified correctly and unambiguously (the off-line identification is correct). As indicated above when the generation of markers has been explained, in a preferred embodiment, in parallel the markers have been contrasted in the common denominator with the markers stored in the common denominator for that user.

All this identification process has been done without the individual having to do anything, that is, for the identification of the individual, the morphological data of that individual has been needed, without the need to write any password (password) and without the need to remember no credentials since the credentials (any necessary password) have been generated by the proposed system.

The fourth stage consists in building an identification (credentials) based on block chains to access the resources and services of the network (such as this identification or credentials are used to determine if access to the network is given, it is called on-line, in opposed to the off-line that only served for access to the electronic device). The basis of the construction of the credentials of the individual in the electronic devices with on-line access, are the markers generated previously with the (morphological) data of the individual. In the present text, the term blocks will also be used to refer to these markers.

To provide the systems with special security measures, all of these blocks will be used for authentication (and for authorization and auditing) using a technique called dynamic multifactorial. The proposed dynamic multifactor authentication (MFAd) requires the linking of all the blocks univocally to proceed with the authentication in order to verify the legitimacy of the authentication. But not only will the generated blocks (markers) be taken into account for user identification but also identifiers of the electronic device. In other words, the multi-factor authentication proposed in the present invention combines all the constructed markers (blocks) from the biometric / biotechnological features of the user with identifiers of the electronic device (IMEI, IMSI, MSISDN, MAC, Port, NETBIOS, Operating system, identification of components such as the motherboard, hard disk, or in general any parameter that allows to identify the electronic device). Unlike the state of technology, in this methodology or technology, the individual does not know the credentials (neither is it necessary nor does he know the password) and does not have a token associated with this authentication.

The objective of this multifactor authentication (based on the morphological markers), is to create a defense by layers and make it more complicated for an unauthorized individual to access the electronic device and the network. If some of the factors are compromised or broken, the system of reputation described above, will be responsible for providing each block with more or less reliability and therefore, blocks with less reliability will be those that have less weight in the proposed system. This is given to the proposed system of dynamism because the blocks with the most errors and the most exposed, have less impact when authenticating an individual.

For this multifactor authentication, a chain of blocks will be built. The blockchain technique (also known by the acronym BC, English Blockchain) is a technique of storage and data management that can be said to be based on building a kind of distributed database, designed to avoid modification not authorized of the data it contains, formed by sets of blocks, where the blocks are linked (linked) to each other. That is, when talking about linking, association, linking or interlacing between the blocks of a chain, we mean that each block of the chain shares information from another (or other) blocks in the chain so that it can be detected that some of the blocks has been altered, analyzing the content of another or other of the blocks (for example the one that precedes or precedes it in the chain). In this case, each of the blocks of the chain will be one of the markers that contains the morphological data of an individual (biometric and biological), therefore, the chain of blocks will contain the record of the morphological data (biometric / biotechnological ) collected from an individual (as will be explained later this chain of blocks will be completed with other blocks that identify the electronic device). In one embodiment, the chain of blocks that we propose consists of all the markers explained above (Voice Recognition, Facial Recognition, Iris Recognition, Fingerprint, NFC, Human Microbiome). This is just an example and the string can be formed by only some of these markers or by other markers based on other user features. The theory of chain blocks indicates that, in general, to give sufficient strength to a chain of blocks, it should consist of at least three blocks; which means that, in this case, it is advisable to use at least three markers.

The chain will have a root block that is the block with the highest reliability of the block chain; This reliability status is granted by the fault reputation system explained above, which is responsible for attributing to a block the state of said block. Thus, normally the root block will be the one that has fewer failures or errors, that is, whose data more exactly matches the data stored for the user.

The blocks in the chain have to be linked together to ensure that the content of each block can not be altered in an unauthorized manner. To better explain how this reputation method works, a concrete example will be used. In said (non-limiting) example of a possible structure of the block chain, the blocks are structured in three levels (although of course, in other embodiments there may be more or less levels): The first level (root block) is the block of the microbiome (this is due to the fact that the proposed reputation system has detected that this block has not had errors, or is the one that has had the least errors, with the identification of the individual, therefore, the microbiome marker is the root block) ; the second level is formed by the Facial and Iris markers that depend (are linked) directly from the root block and the third level consists of the voice markers, fingerprint and NFC, which depend directly on the facial marker and Iris and indirectly on the root block. This allows the data that contains the different blocks can be linked (linked) to the root block directly or indirectly. Generally, markers at a higher level will have more reliability than lower-level markers. The root block does not always have to be the same. So if for example, the root block containing the patterns or signatures of the individual in question is altered in some way or the authentication system itself had some failure, so that the microbiome marker was no longer the least flawed; then this root block (microbiome marker) would be replaced by another block with fewer errors. In this way a method of safe and efficient verification of the contents of the data blocks is provided.

An important feature of this proposed methodology is that the blocks have the ability to interact with each other, to verify that the legitimacy of each block has not been altered, for this the blocks are linked together. Furthermore, preferably all the blocks are directly or indirectly linked to the root block, which is the block with the highest reliability of the block chain, which makes the structure even more secure.

This structure of blocks, allows to go through any point of the chain to verify that the data has not been manipulated, because if someone manipulates a block at the bottom of the block chain, it will make the block one level higher does not match , therefore, you can not alter the information contained in the block. To do this, once all the blocks have been built, and the root block has been named, this block begins to build the block chain. To build this chain, the second block is formed from the root block (or in other words the root block must be linked / linked / associated to the second block), for example the second block will contain part of the data of the second block. root block plus the data of the second block. In turn, this second block is interleaved with the root block sharing part of the data of the block for later verification; therefore when this link is built, the root block will contain the data of its own block and part of the data of the second block. In turn, the third block is formed from the second block (for this the third block will contain part of the data of the second block) and the third block in turn is intertwined as the previous block (for this the second block will contain the data of its own block and split the data of the third block) and so on. In other words, each block will contain the data of the block itself plus part (or all) of the data of the previous block plus part (or all) of the data of the next block.

To better explain how this method of building the block chain works, a concrete example will be used. For example, originally there are 4 blocks, containing three bytes of data each, so these blocks will originally contain the data A1 B1 C1, A2B2C2, A3B3C3, A4B4C4 respectively. When making the first step of the linkage (forward) by which each block is formed starting from part of the previous one, we would obtain 4 new blocks A1 B1 C1, C1A2B2C2, C2A3B3C3, C3A4B4C4. When doing the interlacing of each block with the previous one (or linkage backwards), the following chain of 4 blocks A1 B1C1A2, C1A2B2C2A3, C2A3B3C3A4, C3A4B4C4A5 would be obtained.

Figure 4 shows an example of this linkage of the block chain. In figure 4, the lower arrows between blocks indicate the construction and the link of the chain of blocks, from each block to the next (for example, the iris marker will be built on the facial marker which in turn will be built on the microbiome). The upper arrows indicate the interlacing of each block with the previous block. That is to say, with the lower arrows the blocks are built and linked, and with the upper arrows the data is interleaved between the blocks for the verification of each one of them. As can be seen in figure 4, the voice and NFC markers are the last in the chain because (according to the specific example we are showing) they are the ones with the most failures.

Each time the individual identifies in the electronic device, based on the errors of the identification process, the chain of blocks can change the root block based on the reputation system because it has been detected that there is another block with fewer failures (more reliable than the previous root block). Thus, for example, if upon identification in the electronic device, the reputation system detects that the block containing the information about the The microbiome has had errors in the identification and the iris marker has not failed because the structure of the block chain is modified and the iris marker becomes the root block. And if, for example, the reputation system detects that the NFC block has had fewer errors than the microbiome, it would also change the structure of the block chain (this way and the structure would be as in figure 5, where the block of Iris marker is the new root block and the NFC is positioned "above" the microbiome marker).

As previously described, all this process requires an automatic training or learning, which together with the reputation system, reduces the identification errors of the individual. The training and the automatic learning of the system allow with each new negotiation of identification of the individual, to know better the parameters of the individual and the improvement of the process and, therefore, the false positives and the errors will be less and less.

Once the chain of blocks containing the record of all the information (morphological) of the individual has been constructed, the next step is the construction of the identification of the electronic device. In one embodiment the markers to be used to identify the electronic device and supplement said chain of blocks may be at least one (or preferably several) of the following (this is only a non-limiting example and, of course, others may be used types of identifiers):

• User Identifier (This is not the built identifier

previously by means of the chain of blocks, but, for example the identifier that the user enters in the electronic device to register (login))

• Network identifiers.

or MAC.

or IMEI.

or IMSI.

or MSISDN.

or Others

• Operating systems. • Physical Ports.

• Others.

In a preferred embodiment, once the chain of blocks with the identifying markers (morphological records) of the user has been defined and constructed, in order to provide the necessary security to the identification, the next stage is the construction of the block chain of the Electronic device. For this, all the necessary information that identifies the electronic device for the construction of said chain of blocks has to be collected. This identifying information of the electronic device may depend on the data transmission technology (and in general, on the communication technology) used by the electronic device; for example, data transmission technologies may be the following:

Transmission of broadband data with non-guided media (also known as wireless or wireless transmission media). In these, the communication (transmission and reception) is carried out by means of antennas that communicate through the radioelectric or radiofrequency spectrum. Broadband data transmission with guided media: These are those that use physical components for the transmission of data (for example, cable transmission means those that require fiber optic, ADSL,

VDSL, etc). The WiFi system, although it has part of wireless communication (half unguided) can sometimes be considered in this first group. This is because, although in WIFI systems to communicate with the corresponding access point wireless communication is used, the broadband data communication between the access point and the network can be by cable or fiber optic, so the transmission Broadband data would really be done with guided media.

As shown in figure 6, the block chain construction between the individual and the electronic device for the proposed identification method is carried out in several stages or phases. The first of the stages is the construction of the blocks containing the credentials of the individual (user of the electronic device) as explained above (180). The second stage consists in the construction of the chain of blocks with blocks (markers) that contains the identifiers of the electronic device. If it uses data transmission technology with non-guided media (181) (such as mobile communication such as 3G, 4G, LTE, 5G or any other), the identifiers used for this type of technology are, for example:

User, IMEI, IMSI, MSISDN, Operating System Identification or any other device identifier. If the electronic device uses transmission technology with guided means (182), the identifiers used for this type of technology are: User, MAC Address, Physical Port of the network element, NETBIOS, Operating System or any other device identifier.

So many blocks that contain the identification information (both the information of the individual and the information of the electronic device), are stored in the internal database of the electronic device, and this in turn will send the stored information to the database of the electronic device. common denominator. This communication will preferably be established using standard encryption methods for the integrity of communications.

Once all the markers of the electronic device have been obtained, we proceed to the implementation of the complete block chain (the one formed by the markers of the individual and the electronic device). The proposed block chain is constituted with the root block described above, which was previously generated in the individual block structure (all the blocks generated from the individual block structure belong to the main block chain, governed by a root block). The blocks that are generated with the identifiers of the electronic device are linked to the main block chain (chain of individual identification blocks) in the same way as explained above for the chain of blocks of the individual. That is to say, a "forward" linkage is produced between the blocks with the block that follows it and they also have another linking layer consisting of the association of each of the blocks with the previous block; in this way, each block formed with the identification of the electronic device is linked or linked to the previous block and so on until it reaches the root block of the block chain of the individual. In addition, as described above, this structure of blocks, it allows to cross any point of the chain to verify that the data has not been manipulated, since if someone manipulates some block of the part inferior of the block chain, it will cause that the block that is one level above does not coincide , therefore, you can not alter the information contained in the block.

In the specific case shown in figure 6, given that the last markers of the individual block chain (the voice and the NFC in the concrete example of figure 6) have had errors and therefore their reliability is low , they will not be used for the construction of the complete block chain. Therefore, as seen in Figure 6, the identification markers of the electronic device begin to link from the fingerprint marker (ignoring the last two markers of the chain of blocks of the individual)

3. Use cases:

Next, by way of example and for a better explanation and understanding of the present invention, it is described how the proposed invention would work in different scenarios or use cases. The use cases to be described are (of course, these use cases are only by way of example and do not pretend to be in any way limiting, since the invention can be used in many other different scenarios and applications):

3.1. Identification between an individual, an electronic device (for example mobile phone) and an operator using broadband data transmission technology with non-guided media (3G, LTE, 5G technology, etc.)

3.2. Identification between an individual, a mobile phone and a network access element (router, switch, Access Point, etc.) using broadband data transmission technology with guided media (cable, fiber, ADSL) , vdsl, etc.).

3.3. Identification between the individual, a computer, an element or network access device (router, switch, AP, etc.) using broadband data transmission technology with guided media (cable, fiber, ADSL, vdsl, etc.). ) In all cases of exposed use, the same blocks (markers) containing the morphological information necessary to identify the individual will be used, and the blocks with the identifiers of the corresponding electronic device for each of the data transmission technologies.

3.1 Identification with an individual and an electronic device using broadband data transmission technology with non-guided media (3G, LTE, 5G technology ...)

In this case, the actors and components will be an individual (Alice) who wants to have access to certain information or services (for example to a communication network); an electronic device (mobile phone, for example a smart phone or Smartphone), the data transmission technology used by the electronic device to access the network (mobile technology communication) and a common denominator (mobile network operator). As described above, the proposed solution would consist of several stages such as:

Training and automatic learning.

Identification and verification of the identity of the individual.

Creation of block chain with the morphological and biological data of the individual.

Fault reputation system.

Creation of chain of identification blocks of the electronic device (Smartphone).

Link and link the chain of blocks between the individual and the device.

Figure 7 shows in a schematic diagram, how the method proposed in this case would work. As shown in Figure 7, an individual named Alice (200) will interact with the Smartphone. To access it and the resources of the network, the way to identify Alice (200) is through its morphological and biological data (fingerprint, NFC, microbiome, iris, easy, voice ...) so that Alice does not have to remember any password or the Smartphone is not going to require it. Therefore, the first step is that the Smartphone will request your data morphological and biological (201) to Alice (for example, through a message on the screen, a voice, an explanatory video or any other method). Once it receives the morphological data from the Alice (using appropriate means such as a fingerprint sensor, a camera to capture the face or the iris, a microphone to pick up the voice, an NFC communication module to communicate with the chip or the medium that is appropriate for each morphological or biological trait to be captured), these are sent to the pre-processing module (202). In this stage, the data is preprocessed and all unnecessary data are eliminated, once the pre-processing stage determines the useful data, the corresponding characteristics of the received morphological or biological trait are extracted (203). This module is supported by the models and algorithms module (204); in these steps (203 and 204) the feature vectors (signatures or patterns) of the pre-processed data are obtained. Normally this phase of obtaining the feature vectors (pattern) is done in the electronic device (as indicated in figure 7). The only exception is the microbiome, since in this case, as indicated above, this extraction of the pattern corresponding to the user is usually done in the common denominator (since the electronic device would not have sufficient resources) and then sent to the device electronic.

Once the patterns of the individual are obtained, the comparison of patterns is carried out (205). Once the necessary verifications of the signatures or patterns obtained with the patterns or signatures stored in the internal database are made, with the obtained data, the markers of the different morphological data of Alice are generated (the previous process will be done for each one of the morphological / biological traits or characteristics that are being used to identify Alice, such as fingerprint, NFC, microbiome, iris, easy, voice ...).

If in the comparison it is determined that the content of any of the patterns is not registered (206) in the database (ie, the pattern generated for the individual who is trying to access the device does not match any of the patterns stored in the database). the database for authorized users), the process ends and you will not be able to access the Smartphone (207), however, if all the employers are registered (208) in the database, you will continue with the next stage (209). In an alternative embodiment, if several biometric / biotechnological features are used to identify the individual, access to the electronic device may be allowed if any of the identifications with one of the features is unsuccessful but others are. Normally if three or less types of biometric features are used for identification, all patterns are required to match, but if more than three types of biometric features are used, access to the electronic device may be allowed even if one of the identifications is not successful.

The next stage consists in the creation of the block chain with the information of the markers obtained (210), with the reputation module (21 1) that will qualify the "reliability" of the blocks, based for example on the number of errors that have occurred in the process of comparing patterns and, more generally speaking, in the degree of coincidence that has occurred in the comparison of patterns; This reputation module will be responsible for determining which is the root block of the block chain. At the end of this stage, the construction of the block chain (212) of Alice with its biometric (morphological) data is performed.

The next stage consists in the creation and construction of the block chain of the electronic device (Smartphone, also called guest device).

This is already done in the common denominator, that is, in the network operator. To proceed with said construction of the chain of electronic device blocks, in this example, identifiers such as USER, IMEI, IMSI, MSISDN, Operating System Identifier or any other identifier can be used.

Therefore, Alice when registering her Smartphone in the network operator, all the identifiers of the guest (Smartphone) (214) will be required, once the system checks the data received by the guest, it will create with the data of each of the identifiers the host block chain (215). The next stage consists of linking and linking the chain of blocks (216)

(markers) obtained previously with the morphological data of Alice with the block chain of the host (215). An example of the chain of blocks resulting from linking the blocks of the individual with the chain of blocks of the host is shown in Figure 8 (where the voice marker and the NFC have had errors but have been decided to use for the entire block chain). Once this stage is completed, Alice will be registered in the network (217); Each individual registered in the operator must have their own chain of blocks assigned, without this identification, they will not be able to access the network resources.

Now we must determine if there has been any alteration in the chain of blocks; for this purpose, the different links between the blocks in the chain can be examined. If the common denominator has a chain of blocks stored for said user and said electronic device (obtained during the training and learning process), a comparison of the chain of blocks obtained with the stored one is also made to determine if there has been any alteration in the chain of blocks. If it is detected that the chain of blocks has undergone some alteration in the constitution of the blocks, Alice will not have access to the network operator (218). This altered block chain is stored in the DataMinig module (219) for the process of extracting information from the access attempt. If the registration is satisfactory (no alteration is detected in the block chain), the network operator (220) will be accessed. In this stage, all Alice's data are recorded, stored and processed, both the morphological data (through stages 221, 222, 223) for learning / training or the continuous improvement of patterns and signatures, such as the extraction of information of all the communications (225) of Alice. Among the information extracted is the biological information stored in the knowledge module (224) or the credentials roaming (227) and access rules or policies (226). All this information can be used for the learning / training (228) of the proposed identification system. At this stage, security policies can also be added to the whole block chain, that is, the chain of blocks formed by Alice's morphological data and the host's identifiers.

It should be noted that the exchange of data between the electronic device and the operator is done through the external database (213) and this exchange of data is usually done through encrypted communications, for greater security

3.2 Identification between an individual, a mobile phone and a network access element using a broadband data transmission technology with guided media (cable, fiber optic, ADSL, vdsl, etc.) through a third party.

In this case, the actors and components will be an individual (Alice) who wants to have access to certain information or services (for example to a communication network); an electronic device (for example, a Smartphone or any other) also called a host device, the data transmission technology used by the electronic device to access the network access element (for example WiFi), a common denominator (for example, a Network Operator) and an intermediate network access element that can be a router (router), switch (switch), a firewall (firewall), an Access Point (access point), a Customer Premises Equipment (local computer client) or any other. In this case, although the data transmission technology used by the electronic device to access the network access element can be (unguided) wireless (WiFi), the broadband data transmission technology that will be used in the operator's network is with guided media.

The proposed solution would be constituted by the same stages that have been cited for the previous use case: Training and automatic learning, Identification and verification of the identity of the individual, Creation of block chain with the morphological and biological (biometric) data of the individual , Failure Reputation System, Creation of electronic device identification block chain and Link and link the chain of blocks between the individual and the device.

Figure 9 shows in a schematic diagram, how the method proposed in this case would work, in which it is desired to make an identification between an individual and a smartphone through a network element for example with WiFi communication. As you can see, the operation is the same as the explained described for the previous use case, except for the appearance of a new participant or actor, in this case a network element. The main difference with the case presented above is that Alice (200) once Alice's block of blocks (212) is constructed (with its morphological / biological features), it is sent to the network access element (in instead of the common denominator). In addition, the block chain of the guest device

(215) with the identifiers of the electronic device, it is created in the network element, which is in charge of making the link and linking the block chain of Alice and the host. An example of the chain of blocks resulting from linking the blocks of the individual with the chain of blocks of the host is shown in figure 10. Once this stage is completed, the registration of

Alice on the network (217); Each individual registered in the operator must have their own chain of blocks assigned, without this identification, they will not be able to access the network resources. With this identification (the result of linking the chain of blocks of the individual with that of the electronic device) Alice's security roles or policies are created or generated (200)

If the chain of blocks has undergone any alteration in the constitution of the Alice blocks, the network operator will not have access to the network (218). This altered block chain is stored in the DataMinig module (219) for the process of extracting information from the access attempt. If the registration is satisfactory, the network operator (220) will be accessed. In this stage, all Alice's data are extracted, recorded, stored and processed, both the morphological data (through stages 221, 222, 223) for learning / training or the continuous improvement of patterns and signatures, such as extraction of all communications (225) of Alice. Among the information extracted is the biological information that is stored in the knowledge module (224). All this information can be used for the learning / training (228) of the proposed identification system. In this stage, the security policies associated with said user and / or device are added to the whole chain of blocks, that is to say, the chain of blocks formed by the morphological data of Alice and the identifiers of the guest. As seen in Figure 9, all this can be done in the network element. It should be noted that the exchange of data between the electronic device and the network element is done through the external database of the electronic device (213) and this data exchange is usually done through encrypted communications, for greater security.

Finally, all the data recorded in the network element are also registered in a node of the Common Denominator (Operator), for example a vCPE or any other node. This may or may not have control with the network access element, but depending on the processing capacity of the network access element, it will rely on the Operator to process said data. Therefore, in Figure 9, some of the data extraction and processing modules are repeated in the Operator node, since if the network element does not have sufficient capacity, these actions can be performed in the Operator node. The extracted information can also be used for credential roaming (227) and access rules or policies (226), therefore it is granted to the granularity identification system.

3.3. Identification between the individual, a computer, an element or network device using broadband data transmission technology with guided media, through a third party.

In this case, the actors and components will be an individual (Alice) who wants to have access to certain information or services (for example to a communication network); an electronic device (which in this case would be a computer) also called a host device, the data transmission technology used by the electronic device to access the network (guided media), a common denominator (for example, a network operator) and an intermediate element of network access that can be a router (router), switch (switch), a firewall (firewall), or any other.

The proposed solution would be constituted by the same stages that have been cited for the previous cases of use Training and automatic learning, Identification and verification of the identity of the individual, Creation of block chain with the morphological and biological data of the individual, System of reputation of failures, chain creation of electronic device identification blocks and link and link the chain of blocks between the individual and the device.

The operation would be the same as explained for the previous use case (using figure 10), only that the electronic device instead of a smartphone is a computer that uses a guided transmission medium (cable) to connect to the network (to the intermediate element of network access).

In summary, the proposed solution is based on obtaining the identity of the individual through the biometric and / or biotechnological data of said individual, through the construction of markers containing the patterns and signatures with the biometric data and / or biotechnological (to which we can call morphological data) of the individual. This technology can be applied to any electronic device and any network element, that is, to any device of an individual's daily use. The use of several biometric markers (that is why this identification system is considered to be multifactor) and linking the information of each marker with each other to proceed with the identification of the individual, gives the system a solid authentication, since the information that contains a marker can not be altered without that alteration is detected. With this contribution it is possible to solve all the attacks that are made in the biometric systems. Remember that in all current biometric systems that use multi-factor or multi-attribute authentication, any factor or attribute can be altered, this means that the attacker can alter all the data of any factor or attribute. This is because the factors or attributes do not intertwine (link) with each other, therefore it is possible that you can perform any of the attacks described above.

Once the markers described above have been obtained, an identifying block of each marker is created, with the information of all these blocks the identity of the individual is constructed. That is, the chain of blocks can be considered to be the credentials and password of the individual who has registered in the system, without the need for the individual to enter or remember any password (it is only necessary to measure the biometric features / biotechnological of the individual). Once the chain has been generated of blocks with the data of the individual, the next stage is to endow that chain with entropy; for this, among other things, the chain of blocks is endowed with a fault reputation system. The work of this system is to provide the blocks with more or less reliability depending on the erroneous data detected in the identification of the individual, with which the blocks with more errors will be the blocks with less reliability of the block chain; also be designated a root block that will be that block that has no failures or is the least failures have when identifying the individual, so the reputation system will give more reliability to that block. With this, the block structure is dynamic since this structure will depend on the reliability of each block (which will vary according to the faults that the reputation system detects in each block), therefore it can be said that this multi-factor authentication system proposed is dynamic. In addition, the user / individual does not intervene in this process to determine the reliability of the blocks.

Another important fact of this proposed methodology or technology is that the blocks have the ability to interact with each other to verify that the legitimacy of each block has not been altered, for which the blocks are linked together. The block structure allows you to go through any point in the chain to verify that the data has not been manipulated, because if someone manipulates a block at the bottom of the block chain, it will make the block one level higher does not match, therefore, you will not be able to alter the information contained in the block. Once the chain of blocks with the identification of the individual has been obtained, the next stage consists of linking and interlacing the chain of blocks of the individual with the chain of identifier blocks of the host (electronic device), in order to build the code of identification between the two actors as already described above (see for example figures 8 or 10). This is the differential factor is the most important of all, since we get to build an identification code of the individual (associated with a certain electronic device) in the network; This code or chain of blocks has been built from the beginning of the communication between the individual and the guest. This allows the system to be endowed with strong authentication, so that the identity of the individual can not be modified or altered. By using this solid authentication system, and uniquely identify the individual along with the electronic device, the data that can be collected much more complete, granular (information disaggregated by individual and not added by device without taking into account the user of this) and above all reliable.

Another important factor to highlight is the use of the human microbiome for the creation of a marker. To date no one has used this technique for the identification of an individual nor for the identification and authentication between an individual and an electronic device (guest). This marker, in addition to being extremely reliable, allows not only to identify an individual univocally by the particles of its microbial cloud, but also to obtain information about the individual's state (which allows the early detection of diseases or to better control the spread of infectious diseases, etc.)

It should be noted that not all the elements, which have been set forth in this document, are mandatory for the operation of the authentication solution proposed by the present invention; many of them are optional and depending on the particular application and the services that are desired, they can be included or not.

In addition, the term "comprises" and its derivations (such as "understanding", etc.) should not be understood in a sense of exclusion, that is, these terms should not be interpreted as excluding the possibility that what is described and define may include additional elements, stages, etc.

Some preferred embodiments of the invention are described in the dependent claims which are included below. Having sufficiently described the nature of the invention, as well as the manner in which it is carried out in practice, it is necessary to state the possibility that its different parts may be manufactured in a variety of materials, sizes and shapes, and it may also be introduced in its constitution or procedure, those variations that practice advises, as long as they do not alter the principle fundamental of the present invention. The description and the drawings simply illustrate the principles of the invention. Therefore, it should be appreciated that those skilled in the art will be able to devise various provisions which, although not explicitly described or shown in this document, represent the principles of the invention and are included within its scope. In addition, all the examples described should be considered as non-limiting with respect to such examples and conditions described in a specific manner. In addition, everything set forth in this document related to the principles, aspects and embodiments of the invention, as well as the specific examples thereof, encompass equivalences thereof.

Claims

Method for authenticating a user (200) of an electronic device (100) in a communications operator or provider of a service with which the electronic device communicates using a data transmission technology, where the method comprises the Next steps:

a) Obtain in the electronic device (100) several identification patterns of the user to be authenticated, each of these patterns based on a biometric and / or biotechnological feature different from the user;

b1) comparing (205) in the electronic device, said pattern obtained with identification patterns of users with authorized access to the operator or provider, corresponding to said biometric and / or biotechnological feature, previously stored in an internal database of the electronic device;

b2) generate in the electronic device, a marker including information encrypted on the pattern obtained for said biometric and / or biotechnological feature;

c) if none of the patterns obtained coincide with any of the previously stored patterns, deny access to the electronic device to said user and terminate the method;

d) creating in the electronic device a first chain of blocks by linking together the generated markers (210) and sending said chain (213) to a network element, where the position of each marker in the chain depends on the degree of coincidence that is has produced in the process of comparing the pattern corresponding to said marker;

e) creating in the network element (215) a second block chain with several identifiers of the electronic device, linking said identifiers together;

f) linking in the network element the second chain of blocks with the first chain of blocks (216), creating a third chain of blocks that identifies the user together with the electronic device; g) determine (217) in the network element if the third chain of blocks is valid, determining if there has been any alteration in the different links existing between the blocks of the chain;

h) if it is determined that the block chain is valid, allow the user access to the communications operator and / or service provider and use said third block chain as the user's identification in the communications operator and / or service provider; otherwise, deny the access of said user to the communications operator and / or service provider.

The method according to claim 1, wherein said network element is a node of the communications operator or service provider.

Method according to any of the preceding claims wherein said network element is a router, a switch, a firewall, an access point, or a CPE.

Method according to any of the preceding claims wherein said biometric and / or biotechnological features of the user are some of the following group: facial recognition features, voice, iris recognition features, recognition features by retina, fingerprint, microbiome , identifier stored in subcutaneous chip.

Method according to any of the preceding claims wherein step a) comprises:

- a1) Receive biometric and / or biotechnological data from the user;

- a2) Preprocessing said data;

- a4) For each biometric and / or biotechnological trait, generate an identification pattern of the user based on the vectors of extracted characteristics; where step a1) is performed in the electronic device and steps a2), a3) and a4) are performed in the electronic device or in a node of the communications operator or service provider and, in this second case, the patterns Generated user IDs are sent to the electronic device.

Method according to any of the preceding claims wherein in step b1), if any pattern obtained does not match the patterns previously stored in the electronic device, access to the electronic device is denied to said user and the method is terminated.

Method according to any of the preceding claims wherein the content of each marker is encrypted with a hash function.

8. Method according to any of the preceding claims, wherein in step f). P ^ara create the third strand blocks those blocks of the first block chain corresponding to markers from patterns whose degree of overlap is below a predetermined threshold are not used.

9. Method according to any of the preceding claims wherein the method comprises the following steps before step e):

- Check in the network element that the markers generated coincide with previously stored markers;

- If they do not match, send a message to the electronic device denying access to the electronic device to said user and finish the method.

Method according to any of the preceding claims wherein the identifiers of the electronic device are some of the following group:

Identification of the User in the electronic device, MAC, IMEI, IMSI, MSISDN, Identification of Operating System if the electronic device, to access the operator or service provider uses broadband data transmission technology with non-guided and group means : Identification of the User in the electronic device, Identification of Operating System, MAC, Netbios,

Identification of the Physical Port, Identifier of the components of the base plate of the device if the electronic device, to access the operator or service provider uses broadband data transmission technology with guided media.

1. Method according to any of the preceding claims wherein if the network element determines that any of the identifiers of the electronic device are not stored in its internal database as identifiers of an authorized device, it denies access to the network to said device .

Method according to any of the preceding claims, wherein the method further includes a training step comprising:

13. System for the authentication of a user (200) of an electronic device (100) in a communications operator or provider of a service with which the electronic device communicates using a data transmission technology, where the system comprises:

- The electronic device comprising:

- A database that stores user patterns with authorized access for different biometric and / or biotechnological features;

- Means to obtain information of several biometric and / or biotechnological features different from the user to authenticate;

- A processor configured to: - compare said pattern obtained from the user to authenticate with the patterns of users with authorized access previously stored in the database and

- generate a marker including encrypted information on the pattern obtained for said biometric and / or biotechnological feature;

- creating a first chain of blocks by linking together the generated markers (210) where the position of each marker in the chain depends on the degree of coincidence that has occurred in the process of comparing the pattern corresponding to said marker;

- means of communication for sending (213) said chain to a network element;

- The network element comprising:

- A processor configured to:

- creating a second chain of blocks (215) linking said identifiers of the electronic device together;

- linking the second chain of blocks with the first chain of blocks, creating a third chain of blocks that identifies the user together with the electronic device;

- determine if the third chain of blocks is valid, determining if there has been any alteration in the different links existing between the blocks of the chain;

- if it is determined that the block chain is valid to allow the user access to the communications operator and / or service provider and use said third block chain as identification in the communications operator and / or service provider; otherwise, deny that user's access to the operator.

14. Electronic device (100) for the authentication of a user (200) of said electronic device for access to a communications operator or service provider,

- Means to communicate with the communications operator or the service provider using a data transmission technology;

- Means to obtain information of various biometric and / or biotechnological features different from the user to authenticate;

- A processor configured to:

- compare said pattern obtained with the patterns of users with authorized access previously stored in the database and

- means of communication to send said chain to a network element.

15. Transient digital storage medium for storing a computer program comprising executable computer instructions that cause a computer executing the program to implement the method according to any of claims 1-12.