WO2021137684A1 - Système et procédé pour intégrer une vérification d'identité numérique à une plateforme d'authentification - Google Patents

Système et procédé pour intégrer une vérification d'identité numérique à une plateforme d'authentification Download PDF

Info

Publication number
WO2021137684A1
WO2021137684A1 PCT/MY2020/050073 MY2020050073W WO2021137684A1 WO 2021137684 A1 WO2021137684 A1 WO 2021137684A1 MY 2020050073 W MY2020050073 W MY 2020050073W WO 2021137684 A1 WO2021137684 A1 WO 2021137684A1
Authority
WO
WIPO (PCT)
Prior art keywords
module
data exchange
information
user
authentication
Prior art date
Application number
PCT/MY2020/050073
Other languages
English (en)
Inventor
Galoh Rashidah BINTI HARON
Dahlia BINTI DIN
Nor Izyani BINTI DAUD
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2021137684A1 publication Critical patent/WO2021137684A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Definitions

  • the present invention generally relates for accessing to a protected service, and more particularly relates to a system and method for integrating a digital information from a digital identity verification platform to an existing authentication platform for allowing a user to access to the protected service.
  • single sign-on platform or architecture such as user registration may need integration with multiple applications.
  • Each of the application manages the user registration with a different approach.
  • user and identity proofing mechanism are required in order to prove for the user identity before registration.
  • an agent who is an authorized entity may prove the identity by performing manual identity verification of the user physical characteristics such as face recognition of a physical person to a national card identity with a photo of the person.
  • the user may need to prove their identity via email correspondence.
  • Both applications are using an identical authentication platform. Thus, it must provide registration and authentication services to both applications.
  • a method to prove the identity of the user is required to ensure the security level to access protected services are intact.
  • the user and identity proofing mechanism information are available at the identity verification platform, while for user and methods of authentication information are available at the authentication platform. Both platforms, identity verification and authentication platform separated in networks whereby no internal data sharing between these two platforms is available.
  • accessing the authentication platform by the identity verification platform in allowing access to the protected services.
  • Such limitation is, there is no support for identity verification in the existing registration and authentication functionalities in the authentication platform.
  • assurance levels provide measurement of confidence of an entity that claiming the identity, wherein the entity having the identity that is assigned in the identity validation and authentication process.
  • ITU-T X.1252 describes as a degree of confidence reached in the authentication process that the entity is claimed to be or is expected to be.
  • US patent application for 20160020905 entitled “Securing User Credentials”.
  • This patent application disclosed about a password secured using a first key.
  • the invention having at least one of a password record, a username record, and a domain name record.
  • the at least one password record, username record, and domain name record are created and associated.
  • the associated records are encrypted using a second key, wherein the second key is different from the first key.
  • a credential record is created based on the encrypted associated records.
  • This invention does not disclose on the aspect of increasing assurance level of user based on identity of the user as well as proofing the credentials user.
  • US patent 9646150 entitled “Electronic identity and credentialing system”.
  • US 9646150 it describes about an electronic credentialing system that allows personal identity devices to interact with each other.
  • Each interacting device has an installed identity engine that acquires, holds, issues and uses electronic credentials (e- credentials).
  • e- credentials electronic credentials
  • These electronic credentials can be installed on personal identity devices, such as smart phones, tablets, laptops, embedded systems, and/or personal computers.
  • the existing authentication platform includes adaptive authentication platform which allow multiple methods of authentication that is presented to user.
  • Another objective of the present invention is to provide additional authentication strength parameters through a user level of assurance.
  • the present invention provides a system for integrating a digital identity information to an authentication service to access a protected service.
  • the system comprising of at least one identity verification platform for managing transmission of user information and identity proofing mechanisms; and at least one existing authentication platform for authenticating the user information and the identity proofing mechanisms from the at least one identity verification platform.
  • the at least one identity verification platform further comprises a plurality of dependency modules, wherein the plurality of dependency modules further comprising at least one view module for managing user interaction to the system by having at least one submission information module for receiving information submitted by the user; and at least one verification information module for verifying the submitted information from the user by an administrator; and at least one controller module for triggering the user interactions and generating response to the system, wherein the controller module further comprises of at least one data exchange module for generating structural and standard format for the information received from the at least one submission information module and the at least one verification information module; at least one security evaluation module for evaluating data security of the information generated in the at least one data exchange module; at least one cryptography module for ensuring data integrity and secrecy of the information generated in the at least one data exchange module; at least one store information module as an extension of database functionality of the system for adding new information when receiving information generated in the data exchange module and storing the received information for a new user; and at least one communication module for transmitting the information from the at least one identity verification platform to the existing authentication
  • the at least one existing authentication platform for authenticating the user information and the identity proofing mechanisms from the at least one identity verification platform further comprising at least one registration module for registering the user information
  • the at least one registration module further comprising at least one cryptography module for ensuring data integrity and secrecy in the registration module by performing decryption using a private key for accessing a data exchange and performing verification of signature using a public key of the identity proofing mechanism;
  • at least one data exchange module for reading a structural and standard format of the data exchange and extracting the information of the data exchange; at least one level of assurance for mapping the identity proofing mechanism to a standard level of assurance;
  • at least one authentication module for authenticating the user information and identity proofing mechanism further comprising of authentication strength module for computing a trust access level for the user information by aggregating value of the level of assurance.
  • a method of integrating a digital identity information to an authentication service to access a protected service is provided herewith.
  • the method of the present invention comprises the steps of submitting a user information to a submission information module in an identity verification platform; verifying the user information by a verification information module in the identity verification platform; creating a final data exchange of the user information; securing the final data exchange; transferring the final data exchange from the identity verification platform to the existing authentication platform; registering the user information from the identity verification platform to a registration module in the existing authentication platform; and authenticating the user information by an authentication module and allowing access to the protected service.
  • the step of submitting a user information to a submission information module in an identity verification platform further comprises steps of constructing the user information structures as a first data exchange which consists of user identity and identity proofing mechanism in a data exchange module; evaluating security of the first data exchange by a security evaluation module; conducting a cryptography process by performing a digital signing on the information of the first data exchange based on a private key that is assigned per identity proofing mechanism; constructing a signature information structure and extending the first data exchange by including a signature information by a cryptography module; and storing a final value of the first data exchange and related information in a store information module.
  • the step of verifying the user information by a verification information module in the identity verification platform further comprises steps of providing a unique identification number of the user for checking the first data exchange at the verification information module; retrieving the first data exchange based on the user unique identification number; performing a physical identity proofing mechanism with manual verification supports; constructing an agent information structure as a second data exchange in the data exchange module; evaluating security of the second data exchange by the security evaluation module; conducting a cryptography process by performing a digital signing on the information of the second data exchange based on the private key that is assigned per identity proofing mechanism and authorized agent; constructing a signature information and extending the second data exchange by including signature information by the cryptography module; and storing a final value of the second data exchange in the store information module.
  • the step of creating a final data exchange of the user information further comprises steps of retrieving the first data exchange from the store information module based on the user unique identification number; identifying numbers of data exchange; retrieving the second data exchange from store information module and appending the second data exchange to the first data exchange if the user has more than one data exchange; retrieving ‘n’ data exchange from store information module and appending the ‘n’ data exchange to the ‘n-1 ’ data exchange if the user has more than two data exchanges; and storing the final value of the data exchange in the store information module.
  • the step of securing the final data exchange further comprises steps of retrieving the final data exchange based on the user unique identification number; conducting a cryptography operation by performing encryption on the final data exchange based on the public key; storing value of the encrypted value of data exchange in the store information module; and retrieving the value of encrypted data exchange based on the user unique identification number.
  • the step of the method of transferring the final data exchange from the identity verification platform to the existing authentication platform further comprises steps of receiving a request to submit the final data exchange from the identity verification platform to the existing authentication platform; retrieving the value of final data exchange created in step 330; retrieving the value of encrypted data exchange created in step 340; constructing a registration link; sending the registration link to a communication channel registered by the user; and activating the link by the user.
  • the step of registering the user information from the identity verification platform to a registration module in the existing authentication platform further comprises steps of receiving the registration link for requesting to register for a new user with identity proofing mechanism; presenting the user information to agree on sharing the user information; extracting the encrypted value of the data exchange from the registration link; conducting a cryptography process by performing decryption to obtain content of the data exchange based on the private key dedicated to the registration link; conducting a cryptography process by verifying the signature on each of data exchange based on the public key dedicated to the identity of proofing mechanism; storing the data exchange on a database; extracting value of the user information and value of the identity proofing mechanism from the data exchange; assigning value of level assurance to the user at a level of assurance module; storing the level of assurance value to the database; presenting user authentication information to the user; presenting authentication method to the user; selecting a preferred authentication method and submitting the information to the authentication method; and notifying a successful registration and directing the user to login.
  • the step of authenticating the user information by the authentication module further comprises steps of receiving an authentication request to access a protected service; performing an authentication challenge and response based on input on the authentication method preferred in a challenge-response module; extracting the level of assurance associated with the unique identity information generated in the authentication request from the store information module if the challenge and response is successful; computing a new authentication strength associated to the user by including the level of assurance as one of the additional parameters at an authentication strength module; submitting the authentication strength value to a trust evaluation module; performing trust evaluation to set a new trust level value; comparing the new set trust level to a value setting by the protected service; performing adaptive authentication (390) if the trust value less than the trust value setting by the protected service; and allowing (391) access to the protected service if the trust value exceed the trust value setting by the protected service.
  • Figure 1 illustrates a block diagram of a system architecture for integrating a digital identity verification platform to an existing authentication platform according to one embodiment of the present invention.
  • Figure 2 is a block diagram of a plurality of dependency modules in the identity verification platform according to one embodiment of the present invention.
  • Figure 3 is a block diagram of a submission information module as illustrated in Figure 2 with identity proofing mechanism associated with a pair of private and public key according to one embodiment of the present invention.
  • Figure 4 a block diagram of a verification information module as illustrated in Figure 2 with physical identity proofing mechanism associated with a pair of private and public key and an authorized agent who optionally own a pair of private and public key according to one embodiment of the present invention.
  • Figure 5 is a block diagram of a plurality of dependency modules in a registration module in the existing authentication platform according to one embodiment of the present invention.
  • Figure 6 a block diagram of a plurality of dependency modules in an authentication module in the existing authentication platform according to one embodiment of the present invention.
  • Figure 7 is a flowchart illustrating a general method of integrating a digital identity verification platform to an existing authentication platform according to one embodiment of the present invention.
  • Figure 8 is a flowchart illustrating a step of submitting a user information to the submission information module according to one embodiment of the present invention.
  • Figure 9 is a sample of user information of a first data exchange according to one embodiment of the present invention.
  • Figure 10 is a sample of the user and signature information of the first data exchange according to one embodiment of the present invention.
  • Figure 11 is a flowchart illustrating a step of verifying the user information by the verification information module according to one embodiment of the present invention.
  • Figure 12 is sample of agent information of a second data exchange according to one embodiment of the present invention.
  • Figure 13 is sample of the agent and signature information of a second data exchange according to one embodiment of the present invention.
  • Figure 14 is a flowchart illustrating a step of creating a final data exchange of the user information according to one embodiment of the present invention.
  • Figure 15a is a sample of the first data exchange of the final data exchange according to one embodiment of the present invention.
  • Figure 15b is a sample of the second data exchange of the final data exchange according to one embodiment of the present invention.
  • Figure 16 is a flowchart illustrating a step of securing the final data exchange of the user information according to one embodiment of the present invention.
  • Figure 17 is a flowchart illustrating a step of communicating the final data exchange from the identity verification platform to the existing authentication platform according to one embodiment of the present invention.
  • Figure 18 is a flowchart illustrating a step of registering the user information from the identity verification platform to the existing authentication platform according to one embodiment of the present invention.
  • Figure 19 is a flowchart illustrating a step of authenticating the user information in the existing authentication platform according to one embodiment of the present invention.
  • the present invention provides a system and method for allowing a user to access a protected service by integrating a digital identity information to an authentication service with minimum changes on the user registration process and authentication functionalities. Integration of the identity information of the user to the authentication service is completed via identity verification platform and an existing authentication platform.
  • the identity verification platform shall collect, compose and securely communicate the information of the user associated with an identity proofing mechanism to the existing authentication platform.
  • FIG 1 illustrates a block diagram of the system (100) architecture for integrating a digital identity verification platform (102) to an existing authentication platform (103).
  • the system (100) further comprising of one web browser (101) for the user to access the system (100) over a cloud interface.
  • the identity verification platform (102) is configured for managing transmission of the user information and identity proofing mechanisms to the existing authentication platform (103) by associating with multiple methods of identity proofing mechanism, wherein the multiple method include email and remote identity verification.
  • the identity verification platform (102) further comprising of identity verification module (102a) and a database (102b) in a server.
  • the existing authentication platform (103) for authenticating the user information and the identity proofing mechanisms from the identity verification platform (102) further comprises of a registration module (103a) for registering the user information, an authentication module (103b) for authenticating the user, and a database (103c) for storing the information received from the identity verification platform (102). Further explanation about the registration module (103a) and the authentication module (103b) will be explained further in figure 5 and 6 respectively.
  • Figure 2 illustrates a block diagram of a plurality of dependency modules (200) in the identity verification platform (102).
  • the dependencies module is categorized into two categories which are view module (220) and controller module (240).
  • the view module (220) is for managing user interaction to the system (100), while the controller module (240) is for triggering the user interactions and generating response to the system (100). For instance, the user performs an action by sending an HTTP request to the system (100) and controller generates the HTTP response of the system (100).
  • the view module (220) having at least one submission information module (221) for receiving information submitted by the user and at least one verification information module (222) for verifying the submitted information from the user by an administrator. Both modules required manual intervention which require the user to submit the user information at 221 and an administrator requires to verify the submission of user information at 222.
  • the controller module (240) further comprising at least one data exchange module (241), at least one security evaluation module (242), at least one cryptography module (243), at least one store information module (244), and at least one communication module (245).
  • the data exchange module (241) is responsible forgenerating structural and standard format for the information received from the view module (220).
  • the security evaluation module (242) is a module for evaluating data security of the information generated in the at least one data exchange module (241). It performs data cleansing, data verification and validation to ensure the generated information is trusted. It also secured the data exchange includes data format and content from any possible data security attack before digital signature operation either by user or the administrator.
  • the administrator is an authorized agent that submit a unique identification number of user and perform manual verification of user.
  • Cryptography module (243) is a module for ensuring data integrity and secrecy of the information generated in the data exchange module (241).
  • the data integrity is performed by a digital signature operation, while the data secrecy is performed by an encryption operation.
  • the information generated by the data exchange module (241) is stored in the store information module (244).
  • the store information module (244) act as an extension of database functionalities of the system (100) for adding a new information when receiving information generated in the data exchange module (241) and storing the received information for a new user.
  • the information generated in the data exchange module (241) will be transmitted to the to the existing authentication platform (103) by a communication module (245).
  • the communication module (245) act as an information transmission medium through a preferred communication channel setting by the user.
  • the module (245) is responsible for transmitting the required information for the user to agree on the transmitted information between separate environments. For example, information from the identity verification (102) to the existing authentication platform (103) to increase a trust level of an identity for an authentication purpose.
  • FIG 3 it shows the submission information module (221) having a plurality of identity proofing mechanism, wherein the plurality of identity proofing mechanism is a method for the user to provide evidence of user’s identity and associated with cryptographic keys which consist of a pair of private and public key for cryptography purposes.
  • the methods include email and remote identity verification.
  • the remote identity verification is performed either via personal computer or kiosk.
  • the remote identity verification also may support biometric evidence.
  • the cryptographic keys are used to ensure data integrity and secrecy are guaranteed, and non-repudiation of the origins. The non-repudiation of the origins associating the users manually to select the identity proofing mechanism and complete the submission of the required proof for the identity proofing mechanism where users are unable to deny the identity proofing mechanism origins for the identity verification.
  • Figure 4 shows the verification information module (222) having at least a physical identity proofing mechanism, wherein the physical identity proofing mechanism support a physical proof of digital identity with manual verification and associated with a pair of private and public key for cryptography purposes.
  • the physical identity proofing mechanism support a physical proof of digital identity with manual verification and associated with a pair of private and public key for cryptography purposes.
  • the authorized agent may be associated with a pair of private and public key for cryptography purposes.
  • the cryptographic keys are used to ensure data integrity and secrecy are guaranteed, non-repudiation of the origins.
  • FIG 5 is a block diagram of a plurality of dependency modules in the registration module (103a).
  • the registration module (103a) is a module for registering the user information in the existing authentication platform (103).
  • the modules are into two states, which are new modules and existing modules.
  • the new modules are cryptography module (150), data exchange module (152) and level of assurance module (154).
  • the cryptography module (150) is configured for ensuring data integrity and secrecy in the registration module (103a) by performing decryption using a private key for accessing a data exchange. It also performing verification of signature using a public key of the identity proofing mechanism to ensure the integrity of the data exchange. Once the security process is successful and completed, then 102a stores the data exchange at a database (103c).
  • the data exchange module (152) is responsible for reading a structural and standard format of the data exchange and extracting the information of the data exchange. It will extract the value of user information and method of identity proofing and stores a new value in the user database (103c).
  • the level of assurance (154) is a module that is responsible for mapping the identity proofing mechanism to a standard level of assurance by setting a value for the method of identity proofing and storing the level of assurance value in the user database (103c).
  • the value of assurance level for existing user is set to a default value of 1 and the value of assurance level for a new user is set to a multivariate dependent on the method of identity proofing. As strength of the identity proofing mechanism increases, the value of assurance level will increase as well.
  • Such example of the highest strength of the identity proofing mechanism is by having a manual verification of the user information with the authorized agent, wherein the user and the authorized agent have their own information respectively for verification purposes.
  • the existing modules that shown in figure 5 are user Information and store information modules. These two modules exist before the integration of the identity verification platform. Both modules relate in managing and storing user information for the authentication purpose to the user database (103c).
  • FIG 6 describes modules in the user authentication module (103b) for the existing authentication platform (103).
  • the one authentication module (103b) is for authenticating the user information and identity proofing mechanism received from the identity verification module (102).
  • the modules are into two states, which is new module and existing modules.
  • the new module having the authentication strength module (160) for computing a trust access level for the user information by aggregating value of the level of assurance.
  • the authentication strength module (160) is a logical module for computing the trust access level forthe user. It performs a logical operation by aggregating value of the level of assurance and authenticating the mechanism and attributes used, whereby it perform summation value of level of assurance and selection of authentication mechanism and set the new trust level value and the total authentication strength value for the user to access the system (100).
  • the module (160) further setting the trust access level and presenting the authentication strength value of the user to access the system (100).
  • FIG. 7 is a flowchart illustrating a general method of integrating a digital identity verification platform to an existing authentication platform.
  • the method for accessing a protected service by integrating a digital identity information to an authentication service comprising the steps of submitting (310) a user information to a submission information module (221) in the identity verification platform (102).
  • the user information is then verified (320) by the verification information module (222) in the identity verification platform (102) and furthermore, a final data exchange of the user information is created (330).
  • the final data exchange is then need to be secured by encrypting the final data exchange based on the public key (340).
  • the final data exchange will be transferred (350) to the existing authentication platform (103).
  • the user information from the identity verification platform (102) need to be registered (360) into a registration module (103a) in the existing authentication platform (103).
  • the user information will then be authenticating (380) by the authentication module (103b) for allowing access to the protected service.
  • the step of submitting (310) the user information to the submission information module (221) in the identity verification platform (102) is illustrated as in figure 8.
  • the process of submitting the user identity information is not limited name and address of the user.
  • a selected interface is presented to the user with a submit button to allow the user to enter and submit the required information.
  • the identity verification platform (102) will set the identity proofing mechanism as remote identity proofing (kiosk).
  • User submission information is not limited to the manual input only but from an automatic input, wherein the user information can be extracted from a national identity card by an electronic card reader.
  • the received user information is then constructed (311) as a first data exchange which consists of user identity and identity proofing mechanism in the data exchange module (241).
  • the structure and content of the first data exchange require a security evaluation (312) by the security evaluation module (242). It performs data cleansing to eliminate security attacks based on input validation vulnerabilities such as SQL injection and cross site scripting (XSS). After a successful data cleansing, the focus shifts to ensure data integrity of the first data exchange.
  • XSS cross site scripting
  • a cryptography process is conducted (313) by performing a digital signing on the information of the first data exchange based on a private key that is assigned per identity proofing mechanism.
  • Figure 9 shows the block of data of the first data exchange, which is the input data forthe digital signing operation.
  • the identity verification platform (102) further than constructing (314) a signature information structure and extending the first data exchange by including a signature information such as a hash algorithm, hash of the first data exchange, signature algorithm, signing time and signature generated by the cryptography module (243) as in step 314.
  • the identity verification platform (102) stores the final value of the first data exchange and any related information in the store information module (244) as in step 315.
  • the step of verifying (320) the user information by a verification information module (222) in the identity verification platform (102) further comprises steps of providing (321) a unique identification number of the user for checking the first data exchange at the verification information module (222).
  • a selected interface such graphical user interface (GUI) is presented to the authorized agent with a submit button to allow the agent to verify and submit the information required.
  • GUI graphical user interface
  • Administrator which is the authorized agent provides a unique identification number of user and submit the information to check the first user data exchange available at the platform as in step 321.
  • the verification information module (222) retrieves and presents the first data exchange based on the user unique identification number (322).
  • the administrator performs a physical identity proofing mechanism with supports of manual verification methods as in step 323. For example, the user who is in person with the administrator will be asked for the evidence to prove the user’s identity.
  • the identity verification platform (102) presents the first data exchange that contains user information to the administrator who will then manually compare the user information to the evidence such as national card identification.
  • the identity verification platform (102) constructing (324) an agent information structure as a second data exchange which consists of user identity proofing field and type, agent identity and identity proofing mechanism in the data exchange module (241).
  • Sample of agent information of the second data exchange is shown as in figure 12.
  • the structure and content of the second data exchange require a security evaluation (325) by the security evaluation module (242). It performs data cleansing to eliminate the security attacks based on input validation vulnerabilities such as SQL injection and cross site scripting (XSS). After a successful data cleansing, the focus shifts to ensure data integrity of the second data exchange.
  • the further process then involves a cryptography process by performing a digital signing on the information of the second data exchange based on the private key that is assigned per identity proofing mechanism and authorized agent (326).
  • FIG. 13 shows the block of data of the second data exchange, which is the input data for the digital signing operation.
  • Further step is constructing (327) a signature information and extending the second data exchange by including signature information such as a hash algorithm, hash of the first data exchange, signature algorithm, signing time and signature generated by the cryptography module (243).
  • the platform (102) storing (328) a final value of the second data exchange in the store information module (244).
  • the next step is creating (330) a final data exchange of the user information as illustrated in flowchart as in figure 14.
  • the method (330) further comprises steps of retrieving (331) the first data exchange from the store information module (244) based on the user unique identification number.
  • the unique identification number can be a national identification number or a security governance.
  • the final formulation of creating the final data exchange is not limited to the signing time of each data exchange or by the type of the identity verification.
  • the final data exchange is a series of multiple data exchanges which each data exchange has at least a signature operation. Further steps shall continue by constructing of series of data exchange by appending all the data exchange available to the user as in step 333 and 334. To perform step 333 and 334, the numbers of data exchange need to be identified (332).
  • the second data exchange is retrieved (333) from store information module (244) and appending the second data exchange to the first data exchange. While, if the user has more than two of first data exchanges, retrieving ‘n’ data exchange from store information module (244) and appending the ‘n’ data exchange to the ‘n-T data exchange as in step 334.
  • the final value of the data exchange is stored (335) in the store information module (244). In example, sample of where the first data exchange is the user with remote identity verification and the second data exchange is the agent verify user information with physical identity verification are shown as in figure 15a and 15b.
  • Figure 16 describes the process flow of securing the data exchange.
  • the step of securing the final data exchange (340) further comprises steps of retrieving (341) the final data exchange based on the user unique identification number.
  • a cryptography operation is conducted (342) by performing encryption on the final data exchange based on the public key of a source intended.
  • the source may come from multiple services with multiple public keys, such as the management of the public keys, to add, delete keys when performing the encryption process.
  • the value of the encrypted value of data exchange is stored (343) in the store information module (244) and the value of encrypted data exchange is retrieved (344) based on the user unique identification number.
  • the final data exchange is transferred (350) from the identity verification platform (102) to the existing authentication platform (103) through the communication module (245) as illustrated in figure 17.
  • the step further comprises of receiving (351) a request to submit the final data exchange from the identity verification platform (102) to the existing authentication platform (103).
  • the value of final data exchange created in step 330 and the value of encrypted data exchange created in step 340 are retrieved as in step 352 and 353.
  • the method further constructs (354) a registration link with the result of encrypted data exchange, wherein the successful encryption is achieved when a correct private key is presented to match with the public key, and the message is able to be read (decrypted).
  • the registration link is sent (355) to a communication channel registered by the user such as user’s email or mobile number.
  • the user will receive the registration link and act to activate the link (356).
  • the link will state that the user agree to share the user information from identity verification platform (102) to an existing authentication platform (103).
  • the further step in transmitting the data exchange from the identity verification platform (102) to the existing authentication platform is illustrated in figure 18.
  • the step of registering (360) the user information from the identity verification platform (102) to a registration module (103a) in the existing authentication platform (103) further comprises steps of receiving the registration link for requesting to register for a new user with identity proofing mechanism as in step 361 .
  • the user information is presented (362) to the user for user to agree on sharing the user information.
  • the encrypted value of the data exchange is extracted (363) from the registration link.
  • a cryptography process is conducted (364) by performing decryption to obtain content of the data exchange based on the private key dedicated to the registration link.
  • Another cryptography process is also conducted (365) by verifying the signature on each of data exchange based on the public key dedicated to the identity of proofing mechanism and authorized agent.
  • the data exchange is then stored (366) on a database (103c), provided that the signature verification is valid at the store information module (244).
  • the value of the user information and value of the identity proofing mechanism are extracted (367) from the data exchange and stored in the database (103c).
  • the existing authentication platform then assigned (368) the value of level assurance dedicated to the user at the level of assurance module (154) which derived from the identity proofing mechanism and stored (369) the value of level assurance in the database (103c).
  • the user authentication information is presented (370) to the user such as user identity. Others than the user authentication information, an authentication method available in the system also presented (371) to the user. The user will select a preferred authentication method and submitting the information to the selected preferred authentication method (372). Lastly, if the registration is successful, a notification will be sent to the user and directing the user to login into the protected service (373).
  • Figure 19 illustrates the step of authenticating (380) the user information by the authentication module (103b) for allowing the user to access to the protected service.
  • the method of authenticating (380) the user information by the authentication module (103b) further comprises steps of receiving (381) an authentication request to access to a protected service.
  • the system (100) will perform (382) an authentication challenge and response based on input on the authentication method preferred in a challenge-response module. For a successful challenge and response (383), the system (100) extracts (384) the level of assurance associated with the unique identity information generated in the authentication request from the store information module (244).
  • the successful of challenge and response (383) is determined by observing to the user respond to the authentication challenge, whether it is successful or not in login or perform in any operation required during authentication process. If the challenge and response (383) is not successful, reiterating the previous step (382).
  • a new authentication strength associated to the user is computed (385) by including the level of assurance as one of the additional parameters at the authentication strength module (160).
  • the authentication strength value is send (386) to the trust evaluation module.
  • the system (100) further performs several trust evaluation to set a new trust level value (387).
  • the new set trust level is compared (388) to a value setting by the protected service. If the trust value exceed than the trust value setting by the protected service (389), the system (100) allow the user to access to the protected service (391). However, if the trust value is less than the trust value setting by the protected service (389), the user will require to perform adaptive authentication (390), wherein the user need to login using another method of authentication and the new aggregation value will be sufficient for user to access the protected service.
  • the terms “a” and “an,” as used herein, are defined as one or more than one.
  • the term “plurality,” as used herein, is defined as two or more than two.
  • the term “another,” as used herein, is defined as at least a second or more.
  • the terms “including” and/or “having,” as used herein, are defined as comprising (i.e. , open language).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Time Recorders, Dirve Recorders, Access Control (AREA)
  • Storage Device Security (AREA)

Abstract

La présente invention concerne un système (100) et un procédé (300) pour intégrer une information d'identité numérique à un service d'authentification pour accéder à un service protégé. Le système (100) comprend au moins une plateforme de vérification d'identité (102) et au moins une plateforme d'authentification existante (103). La plateforme de vérification d'identité (102) comprend en outre un module d'informations de soumission (221), un module d'informations de vérification (222), un module d'échange de données (241), un module d'évaluation de sécurité (242), un module de cryptographie (243), un module d'informations de magasin (244) et un module de communication (245). Tandis que la plateforme d'authentification existante (103) comprend en outre un module d'enregistrement (103a), un module d'authentification (103b) et une base de données (103c). En outre, le procédé (300) d'intégration d'une information d'identité numérique à un service d'authentification pour accéder à un service protégé sont décrits ici pour les mettre en œuvre.
PCT/MY2020/050073 2019-12-31 2020-08-24 Système et procédé pour intégrer une vérification d'identité numérique à une plateforme d'authentification WO2021137684A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2019007959A MY202429A (en) 2019-12-31 2019-12-31 System and method for integrating digital identity verification to authentication platform
MYPI2019007959 2019-12-31

Publications (1)

Publication Number Publication Date
WO2021137684A1 true WO2021137684A1 (fr) 2021-07-08

Family

ID=76686979

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2020/050073 WO2021137684A1 (fr) 2019-12-31 2020-08-24 Système et procédé pour intégrer une vérification d'identité numérique à une plateforme d'authentification

Country Status (2)

Country Link
MY (1) MY202429A (fr)
WO (1) WO2021137684A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114745191A (zh) * 2022-04-22 2022-07-12 中国电力科学研究院有限公司 能源互联网终端的可信实时度量方法、装置、设备及介质
CN115426200A (zh) * 2022-11-03 2022-12-02 北京数盾信息科技有限公司 一种数据采集处理方法及系统
CN115640555A (zh) * 2022-11-03 2023-01-24 雷顿电气科技有限公司 一种自动转换开关电器信息的云端操控系统
CN117094021A (zh) * 2023-10-11 2023-11-21 北京知宏科技有限公司 基于互联网的电子签章加密防护系统及方法
CN118054912A (zh) * 2024-03-30 2024-05-17 广东好易点科技有限公司 一种电动自行车充换电行为数据安全处理方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030177363A1 (en) * 2002-03-15 2003-09-18 Kaoru Yokota Service providing system in which services are provided from service provider apparatus to service user apparatus via network
US20070011742A1 (en) * 2005-06-27 2007-01-11 Kojiro Nakayama Communication information monitoring apparatus
US20140270401A1 (en) * 2013-03-15 2014-09-18 United States Postal Service System and method of identity verification
US20190020476A1 (en) * 2017-07-14 2019-01-17 Symantec Corporation User-directed identity verification over a network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030177363A1 (en) * 2002-03-15 2003-09-18 Kaoru Yokota Service providing system in which services are provided from service provider apparatus to service user apparatus via network
US20070011742A1 (en) * 2005-06-27 2007-01-11 Kojiro Nakayama Communication information monitoring apparatus
US20140270401A1 (en) * 2013-03-15 2014-09-18 United States Postal Service System and method of identity verification
US20190020476A1 (en) * 2017-07-14 2019-01-17 Symantec Corporation User-directed identity verification over a network

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114745191A (zh) * 2022-04-22 2022-07-12 中国电力科学研究院有限公司 能源互联网终端的可信实时度量方法、装置、设备及介质
CN114745191B (zh) * 2022-04-22 2024-03-08 中国电力科学研究院有限公司 能源互联网终端的可信实时度量方法、装置、设备及介质
CN115426200A (zh) * 2022-11-03 2022-12-02 北京数盾信息科技有限公司 一种数据采集处理方法及系统
CN115640555A (zh) * 2022-11-03 2023-01-24 雷顿电气科技有限公司 一种自动转换开关电器信息的云端操控系统
CN115426200B (zh) * 2022-11-03 2023-03-03 北京数盾信息科技有限公司 一种数据采集处理方法及系统
CN117094021A (zh) * 2023-10-11 2023-11-21 北京知宏科技有限公司 基于互联网的电子签章加密防护系统及方法
CN117094021B (zh) * 2023-10-11 2024-01-16 北京知宏科技有限公司 基于互联网的电子签章加密防护系统及方法
CN118054912A (zh) * 2024-03-30 2024-05-17 广东好易点科技有限公司 一种电动自行车充换电行为数据安全处理方法

Also Published As

Publication number Publication date
MY202429A (en) 2024-04-29

Similar Documents

Publication Publication Date Title
US11297064B2 (en) Blockchain authentication via hard/soft token verification
US10382427B2 (en) Single sign on with multiple authentication factors
CN103067399B (zh) 无线发射/接收单元
US9876783B2 (en) Distributed password verification
US8359465B2 (en) Enterprise security system
WO2021137684A1 (fr) Système et procédé pour intégrer une vérification d'identité numérique à une plateforme d'authentification
US20070061571A1 (en) System and method for managing security testing
KR20180026508A (ko) 생체 특징에 기초한 보안 검증 방법, 클라이언트 단말, 및 서버
EP1777641A1 (fr) Système d'authentification biométrique
WO2001022322A2 (fr) Commerce electronique avec authentification cryptographique
US20180026968A1 (en) Managing security credentials
US11700125B2 (en) zkMFA: zero-knowledge based multi-factor authentication system
US11444936B2 (en) Managing security credentials
JP7554197B2 (ja) ワンクリックログイン手順
EP3756332B1 (fr) Récupération de compte automatisée à l'aide de dispositifs de confiance
Das A secure and robust password-based remote user authentication scheme using smart cards for the integrated epr information system
WO2021107755A1 (fr) Système et procédé de changement de données d'identité numérique entre une preuve de possession et une preuve d'identité
US11245684B2 (en) User enrollment and authentication across providers having trusted authentication and identity management services
Khan et al. A brief review on cloud computing authentication frameworks
Grassi et al. Draft nist special publication 800-63b digital identity guidelines
Mahnamfar et al. ROSTAM: A passwordless web single sign-on solution mitigating server breaches and integrating credential manager and federated identity systems
US20240169350A1 (en) Securing transactions with a blockchain network
Herzig Identity and Access Management
Hahn et al. Enhanced authentication for outsourced educational contents through provable block possession
Merrill Detecting and Correcting Client-Side Ballot Manipulation in Internet Voting Systems

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20909462

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20909462

Country of ref document: EP

Kind code of ref document: A1