|Title of Invention||
BIOMETRIC ASSISTED SYSTEM FOR SECURE OPERATION OF A SECONDARY SYSTEM AND METHOD THEREOF
|Abstract||The present invention provides a system and a method to provide biometric solutions for authentication and authorization of security systems to execute secured transcations. The present invention also provides a method to authenticate and authorise the security systems for executing the secured transations using biometric solutions. The system and the method of the present invention is also integrated with the known security systems to implement the authentication and authorization of transactions.|
|Full Text||INTEGRATED SECURITY SYSTEM FOR BANKING SERVICES USING
The present invention relates to a field of security systems wherein Biometric Solutions
are used in integration with the existing available security systems to enable both authentication and authorization which are needed to complete the transactions. The present system also provides a method to authenticate and authorise the security systems for completing the transactions. Background and Prior art
Organisations have historically managed rapid organic growth by proliferating application
systems to support new products or services. Inorganic growth compounds the situation.
These applications mostly have custom built information security management layer.
Accessing the system is via passwords, pin numbers, user identifications etc hereinafter
referred to as access codes. In these cases an employee in a large organisation needs to
remember between 5 and 30 access codes. These need to conform to complex security
policies, making them difficult to remember/ recall, which often leads to such information
being written down on sticky notes or stored in unencrypted text files on employees'
workstations. These activities more often than not, compromise information security by
using the same access codes on all machines/applications leading to defeating the very
purpose for which such elaborate security measures were brought into place in the first
place. More ever, in certain instances, the access codes are a combination of very easily
available personal details as the birthdays, anniversaries, telephone numbers etc., which
makes accessing such protected information very easy. Statistics reveal that on an
average an employee spends as much as 44 hours a year supplying user credentials to
access just four applications. Furthermore, the more number of access codes imply an
increased expenditure of IT resources on security administration - issuing access codes to
new employees, revokmg those of former employees, and replacing/resetting the lost or
forgotten access codes of current employees - resulting in poor turnaround times and
mounting overheads. Companies with multiple-access code secured systems often
attribute 25% or more of help desk calls to access code related issues. For a 10,000-person
organisation, that translates into millions of dollars annually. Further, the user is inactive
till the administrator resolves the access code issue, causing avoidable employee
Maintaining the information security layer within each of the applications also diverts significant resources into building and maintaining the same fimction many times over which results in spiraling costs.
Existing security systems used in Banking Financial Services and Insurance Sector is the Intellect ARMOR, which is an integrated, modular and customizable suite of Security Services providing Single Sign-On (SSO) to applications across technologies. ARMOR can be deployed in a very short time frame.
ARMOR makes it easier for end-users, to securely sign-on to multiple applications through a friendly, browser-based front-end. It is specially designed to allow the user to securely access any browser based, desktop, Client-Server Based, Unix-based or Character / Green screen applications by means of a single User-ID and password combination. User authentication is done by means of a configurable, static password or by a single-use, dynamic password generated by a hardware device.
ARMOR further supports role-based access control where one can define the applications as well as the underlying menus or fijnctions that a user can access according to the role in the organisation.
ARMOR provides a single-point administration tool for the security administrator to create and manage multiple applications and users. It allows the administrator to assign passwords used by the applications such as relational databases and Unix hosts, thereby reducing the workload. Furthermore, ARMOR generates audit reports and logs sensitive events such as unauthorized login attempts/failures.
Different combinations of the ARMOR components described above can be deployed interchangeably giving greater flexibility.
For example, in the use of an ATM card to withdraw fimds from a bank account the Functional Architecture of Intellect ARMOR would be that the access code namely the PIN number is entered and if that is correct then the correct access code identifies/ certifies the authenticity of the owner of the bank account i.e. authenticates the person and allows access to complete the transactions for which the said access codes were punched in i.e. authorizes the said person to complete the transactions also. In the event of the wrong access codes being entered, the ARMOR short circuits the transactions and the said transactions are terminated.
Intellect ARMOR is an integrated, modular and customizable suite of Security Services providing Single Sign-On (SSO) to applications across technologies. INTELLECT ARMOR makes it easier for end-users, to securely sign-on to multiple applications through a friendly, browser-based front-end. It is specially designed to allow the user to securely access any browser based, desktop, Client-Server Based, Unix-based or Character / Green screen applications by means of a single User-ID and password combination.
User authentication is done by means of a configurable, static password or by a single-use, dynamic password generated by a hardware device.
INTELLECT ARMOR provides a single-point administration tool for the security administrator to create and manage fiinction entitlements for application users. Hence information about what system resources and which application functions will be available to users is stored and controlled by Armor. INTELLECT ARMOR further supports role-based access control where one can define the applications as well as the underlying menus or functions that a user can access accordmg to the role of the person in an organisation.
Different combinations of the INTELLECT ARMOR components described above can be deployed interchangeably giving greater flexibility.
The Advantages of Intellect ARMOR is four-fold namely the facilitation of multiple usage, the single point administration to manage multiple applications, the lower cost of maintenance and the flexibility of use.
Ease of use - ARMOR is designed for the end-user. It satisfies today's single sign-on requirements, enabling users to access multiple applications through a single screen -reducing the drudgery and wastage of entering one's credentials into multiple logon
Smgle-point administration- Administrators can manage multiple applications based on
different technologies through a single point, thus lowering administration cost and
Cost efficiency - Being a web-based system; ARMOR brings down the cost of
maintenance, licensmg, scaling and upgrading diverse applications' security, thereby
bringing down the overall technology cost.
Flexibility - ARMOR is a highly flexible product that allows complete configuration of the
password rules defmed within an organisation. It has the ability to integrate with third
party authentication providers. It also allows automated password administration with
applications and has a complete set of APIs to integrate easily with client applications
running on diverse platforms like UNIX, NT and AS400.
Architecture Highlights & Technology Environment
The limitations of the Intellect ARMOR is the inadequate security support of the access
codes which can be lost, easily cracked, forgotten, stolen etc.
Existing technology in security systems using Biometrics is the use of Fingerprint
Scanners, Facial recognition systems and Iris recognition systems.
The word "Biometric" has recently been adopted by the information technology sector to
refer to a field of technology devoted to the identification of individuals using biological
and behavioural traits.
For example, Iris recognition is used around the world for physical access control namely
at the Sydney Olympic Games and at London's Heathrow Airport and is now also used to
control access to IT systems.
The system can be used to identify individuals as they log into a system, and to control
access to programs, folders, documents, VPNs, and Web sites or individual pages.
Potential applications mclude kiosk access, customer identification for contact centres, and
online payments etc.
Unlike fingerprint or face recognition, accuracy is unaffected by dirt, cuts, gloves, masks
and so on, nor do spectacles or contact lenses present any problems.
This technology however has not been merged with the existing security services in the
field of Banking Services and that is the invention disclosed in this application.
US 5,787,186 deals with biometric security procedure for manufacturing an identity
document, such as an identity card, credit card, visa or passport using facial recognition.
This is basically done by providing a nucleus of the identity document, the nucleus
including personal data of a holder of the identity document and a face image of the
holder, the computer carrying out an analysis of basic face features of the face image,
comparing the basic face features with master/pattern features m a data base, wherein each
master/pattern feature has a specific number; obtaining by the analysis a derived set of
master/pattern features that corresponds to a characteristic synthetic image of the holder,
the derived set of master/pattern features corresponding to a specific numeric code
determined by the number of each of the master/pattern features making up the derived set
of master/pattern features; and printing the specific numeric code by a printer connected to
the computer, on an area of the identity document defmed as a code window, whereby the
specific numeric code univocally characterizes the holder of the identity document.
US6393139 deals with a security access method and/or apparatus that verifies both the
user*s fingerprints and the fmgerprint entering sequence to determme whether an access
can be authorized. By using both the fingerprints and the entering sequence as the access
criteria, a highly secured device can be created using low cost commercial available
us 6314401 deals with an invention that generally includes three principal components; namely, (1) a hand held transceiver for transmitting a voice pattern while moving (e.g., driving) past an (2) infra-red receiver array which receives the transmitted voice pattern, and a (3) speech enhancement and voice verification algorithm for conducting a comparison between the transmitted voice pattern and the registered voice patterns stored in the computer's memory. The processing computer will first recognize the spoken phrase, and then perform speaker verification using speech processing and comparing algorithms consisting of a speech recognizer and a vector quantification software classifier, ultimately sending a "pass" or "fail" signal to a control center computer based upon whether the speaker's voice pattern matches one of the voice samples stored in the computer's memory, respectively.
US 6715674 deals with the Biometric factor augmentation method for identification
systems. The most preferred method of augmenting an existing token-based identification
system is to splice into a data stream transmitted from a token reader to a control panel
such that an acquired token factor from a user is intercepted by a biometric identification,
or authentication, system that is wedged in series at a splice in the data stream.
When the token reader transmits a data stream, such as a Wiegand interface, to the control
panel, the data stream is used by the biometric identification system to prompt the user to
present an anatomical feature to a biometric reader. The biometric reader creates a
biometric inquiry template that is transmitted to a biometric search engine, along with the
acquired token factor, such as a PIN or barcode, to perform data match analysis against
one or more enrolbnent templates associated with the acquked token factor. The search
engine will either match an authorized user or reject an unidentifiable user. If there is a
match, then the data stream is allowed to pass from the biometric reader to the control
panel of the existing token-based identification system. The existing system does not
otherwise need to be modified. The security of an Access Control System (ACS) can be
greatly enhanced by this method of augmentation that, preferably, wedges an automatic
fmgerprint identification system (APIS) into the data stream of an established ACS.
US 6799163 deals with a Biometric identification system as a method for identity
verification using the voice of a person, comparing at least one first spoken voice print of
a user speaking at least one piece of personal data against a first stored voice print of the
user speaking said at least one piece of personal data, comparing at least one second
spoken voice print of the user speaking at least one piece of travel data agamst a second
stored voice print of the user speaking said piece of travel data and determining if the user
is a given individual based the results of step first and the second.
The U.are .U 4000 is a USB fingerprint reader designed to use with DigitalPersona Pro
Server that contams an identity engine to store and authenticate fingerprints. The user
simply places a finger on the glowing reader window, and the device quickly and
automatically captures the fmgerprint image. On-board electronics calibrate the device and
encrypt the image data before sending it over the USB interface.
In all, the above cited prior art the whole idea behind the use of Biometrics is restricted to
the field of identification or authentication. In other words, the technology so far has only
used Biometric solutions to identify the person i.e. to authenticate and not to authorize the
Object of the invention
The main object of this invention is to provide for a security system and method to
overcome the defects in the existing security system by providing for both authentication
and authorization by combining the technologies of Intellect ARMOR and Biometrics.
An object of the present invention is to provide a system and a method by integrating
identity management using the fingerprinting technology of Digital Persona with the
access control using Intellect Armor.
Another object of the present invention is to provide a system and a method for
implementing security systems for business transactions especially for banking systems
where there is an extensive need for identity and access management tools.
Summary of the invention
The present invention provides a Biometric security solution system for both
authentication and authorization of secured transactions. The present system also provides
a method to authenticate and authorise the security transactions for executing the secured
transactions. The system and the method of the present invention is also integrated with
the known security systems to hnplement the authentication and authorization of
Detailed description of the invention
Accordingly, the system and the method of the present invention provides a security
systems wherein Biometric Solutions are used in integration with the existing available
security systems to enable both authentication and authorization which are needed to
complete the transactions. The present system also provides a method to authenticate and
authorise the security systems for completing the transactions.
Authentication determines a user's identity. It is the process of identifying users before
they are allowed access to computer systems or networks. In ne4w«ric systems,
authentication refers to verifying that messages and documents came from the person
Authentication of a user is generally based on something the user knows, is, or has. The
process can take the following forms :
a. The most common form of authentication is user name and password, although this
also provides the lowest level of security.
b. VPNs use digital certificates and digital signatures to more accurately identify the
c. Biometrics - This refers to methods of authenticating or verifying an individual
based upon a physical or behavioral characteristic of the individual eg fingerprint,
eye pattern, palm print, DNA etc.
Authorization is the process of determining, by evaluating applicable access control
information, whether a user is allowed to have the specified types of access to a particular
resource. Usually, authorization is in the context of authentication. Once a subject is
authenticated, it may be authorized to perform different types of access.
In muhi-user computer systems, a system administrator defines for the system which users
are allowed access to the system and what privileges of use (such as access to which file
directories, hours of access, amount of allocated storage space, and so forth). For example,
when someone has logged in to a computer operating system or application, the system or
application will identify what resources the user can be given during this session.
Intellect Armor has different kinds of authentication and authorization mechanisms to help
organizations achieve information security and Smgle Sign On.
Native Authentication achieved through in-built encrypted and signed ticket generation
1. Dynamic password authentication achieved through a defined set of plug and play API's that gets integrated seamlessly with third-party software or hardware like "Secure Computing Safe Word" (Dynamic Password Authentication)
2. Hardware token based authentication achieved through a defined set of plug and play api's that gets integrated seamlessly with third-party software or hardware like "Eracom Hardware Security Module" (HSM)
3. "Biometric Authentication" Intellect Armor is capable of integrating and operating with biometric solutions, specifically the biometric authentication mechanism that was adopted to integrate Intellect Armor with the "DigitalPersona Fingerprint Solutions". Intellect Armor is also capable of integrating with other
biometric authentication systems that provide authentication through identifying
the "Face", "Hand", Pahn Print", "Iris", "Speech" etc.
The Intellect Armor when integrated with one of the worlds best fingerprint authentication
systems "Digital Persona Fingerprint Solutions" has led to the present invention. This has
been done by building unique plug-in software which allows the Digital Personal
Fingerprint Reader to work with Armor. While other security software products may offer
replacement of passwords authentication with fmgerprintmg technology, we are not only
offering replacement of password but also providing management of user entitlements
Brief description of the drawings:
FIG 1 is a graphical representation of a launching of Intellect Armor application from the web browser.
(b) ARMOR login page
(c) Fingerprint Reader
(d) ARMOR Bio-plug-in
(e) DP Server
(f) Fingerprmt and ticket store
(g) ARMOR data store (h) User Profile (data)
The present invention also provides a method of authentication and authorization by using the system of the present invention, said method comprising the steps of
(1) launching of the Intellect Armor application from the web browser by a user
(2) selecting authentication means by the user from the available modules which includes
(a) Static Password authentication
(b) Dynamic Password Authentication
(c) Biometric Authentication
(3) authentication of the user by his/her fingerprint by means of fmgerprint reader
(4) scanning of the fingerprint,
(5) performing an encryption and sending to the Intellect Armor biometric plug-in through the login page
(6) processing the authentication request by Intellect Armor biometric plug-in and sending the authentication request to the DigitalPersona Server
(7) authenticating the fingerprint image with fingerprint ticket store by means of an
Identity engine and generating a unique ticket on matching the fingerprint of the
user with the fingerprint ticket store,
(6') & (7') communicating the authentication to the Intellect Armor biometric plug-in both authentication and refusal of access
(8) using Intellect Armor Authentication and Authorization API by Intellect Armor Biometric plug-in to get the authorization information of the user
(9) securing the authorization information fi-om the Intellect Armor Data Store by Intellect Armor Authentication and Authorization API
(10) providing the authorization information to the user as a profile page
(11) to enable the user to access any of the application that he/she is entitied to use
(6') & (7') checking for the unmatched biometric data and communicating the same ARMOR bio plug-in to ARMOR login page
(12) communicating the error message fi-om ARMOR biometric plug-m to ARMOR login page
(13) communicating the error message fi"om ARMOR login page to the User.
In an embodhnent of the present invention a method wherein the authentication module is
selected fi'om Static Password Authentication, Dynamic Password Authentication,
According to another embodiment of the present invention, a method wherein a 128
character unique ticket is generated and stored, when authentication is granted.
The Schematic Representation of the system and method of the present invention is as
1. Intellect ARMOR is an integrated, modular and customizable suite of Security
Services providing Single Sign on to applications across technologies.
2. This will provide a security system and methods to overcome the defects in the
existing security system by providing for both authentication and authorization
by combining the technologies of intellect ARMOR and Biometrics.
3. It will provide a system and a method by integrating identity management
using the finger printing technology of Digital persona with the access control
using intellect ARMOR.
4. The present invention provides a Biometric Security solution system for both
authentication and authorization of secured transactions.
5. Biometric Authentication intellect ARMOR is capable of integrating and
operating with biometric solutions, specifically the biometric authentication
mechanism that was adopted to integrate Intellect ARMOR with the "Digital
Persona Fingerprint Solutions".
6. INTELLECT ARMOR makes it easier for end-users, to securely sign-on to
multiple applications through a friendly, browser-based front-end. It is
specially designed to allow the user to securely access any browser based,
desktop, Client-Server Based, Unix-based or Character / Green screen
applications by means of a single User-ID and password combination.
7. The present invention also provides a method of authentication and
authorization by using the system of the present invention, said method
comprising the steps of (1) launching of the Intellect Armor application from
the web browser by a user (2) selecting authentication means by the user from
the available modules which includes (a) Static Password authentication (b)
Dynamic Password Authentication (c) Biometric Authentication (3)
authentication of the user by his / her fingerprint by means of fingerprint reader
(4) Scanning of the fingerprint, (5) performing an encryption and sending to the
Intellect Armor biometric plug-in-through the login page (6) processing the
|Indian Patent Application Number||1315/CHE/2004|
|PG Journal Number||42/2012|
|Date of Filing||03-Dec-2004|
|Name of Patentee||POLARIS FINANCIAL TECHNOLOGY LIMITED|
|Applicant Address||POLARIS HOUSE 244 ANNA SALAI CHENNAI 600 006|
|PCT International Classification Number||G06F 21/00|
|PCT International Application Number||N/A|
|PCT International Filing date|