Description:TECHNICAL FIELD
[0001] The present invention relates to the field of biometric authentication systems and, more particularly, pertains to a system and method for multi-factor authentication to provide secure and reliable access control.

BACKGROUND
[0002] User authentication is critical for securing access to computing resources and communication networks. Traditional password-based authentication methods are widely utilised but are susceptible to various attacks, including brute-force attempts, password guessing, and social engineering tactics. Although biometric authentication methods, such as fingerprint, facial recognition, and iris scanning, provide enhanced convenience and accuracy compared to password-based authentication, they remain vulnerable to spoofing attacks wherein adversaries replicate biometric traits using artificial materials.
[0003] Countermeasures such as liveness detection have been introduced to prevent biometric spoofing; however, these techniques often introduce usability challenges and additional security vulnerabilities. Authentication mechanisms relying on wearable devices face susceptibility to side-channel attacks and operational limitations due to battery constraints, thereby reducing their practicality for continuous authentication scenarios. Further, multi-factor authentication approaches based on One-Time Passwords (OTP) transmitted to user devices are prone to interception through social engineering techniques.
[0004] Behavioral authentication methods, such as analyzing typing cadence and mouse movement patterns, have been explored to support continuous authentication. However, these methods require persistent monitoring and introduce processing overhead, rendering them unsuitable for latency-sensitive environments such as the Internet of Things (IoT).
[0005] Hardware-based authentication techniques, including methods based on Photo Response Non-Uniformity (PRNU), have been explored for device identification by leveraging sensor imperfections. While PRNU-based approaches demonstrate potential for source device verification, they exhibit practical limitations such as sensitivity to environmental conditions, latency in extraction, and scalability concerns for real-time authentication.
[0006] It has further been observed that existing authentication systems predominantly verify only the identity of the user, with limited mechanisms to verify the authenticity of the device utilised during authentication. In environments where secure remote authentication is essential, such as financial institutions, enterprise security, healthcare, critical infrastructure, and battlefield communications, it is necessary to authenticate both the user and the user’s device over potentially insecure communication networks.
[0007] Moreover, traditional password validation mechanisms involve either direct password transmission or storage, which exposes systems to brute-force attacks, particularly in scenarios involving device theft or compromise.
[0008] There is, therefore, a need for a robust remote multi-factor authentication system that integrates biometric fingerprint verification, device-specific hardware fingerprint analysis, and secure password validation, and that supports mutual authentication between a user device and a server while establishing a fresh session key for each authentication session.

OBJECTS OF THE PRESENT DISCLOSURE
[0009] A general object of the present disclosure is to provide a multi-factor authentication system and method that enhances security by combining biometric fingerprint verification, device-specific hardware fingerprint analysis, and password validation.
[0010] An object of the present disclosure is to provide a remote authentication protocol wherein both a user device and a server are authenticated mutually, ensuring secure communication between the two entities over potentially untrusted networks.
[0011] An object of the present disclosure is to provide a method for establishing a session key following successful mutual authentication, thereby enabling encrypted communication resistant to interception and replay attacks.
[0012] An object of the present disclosure is to provide a solution that offers adaptability across multiple industries, including financial services, healthcare, enterprise security, and government applications, where strong remote authentication measures are required.
[0013] Another object of the present disclosure is to provide a solution that reduces the risk of unauthorized access by incorporating device-specific hardware fingerprinting, thus enhancing authentication robustness.
[0014] Another object of the present disclosure is to provide a solution capable of detecting spoofing attempts by analysing inconsistencies in biometric and hardware fingerprint data using AI-based classification models.
[0015] Another object of the present disclosure is to provide a solution that improves the evaluation of authentication factors, ensuring a higher level of accuracy in access control decisions through deep learning-based analysis.
[0016] Another object of the present disclosure is to provide a system that verifies identity of the user as well as the authenticity of the user device utilised for authentication, thereby preventing unauthorised device usage.
[0017] Another object of the present disclosure is to provide a solution that enhances security by performing fingerprint verification and device identification using deep learning models on the server side.
[0018] Yet another object of the present disclosure is to provide a scalable authentication system that can seamlessly integrate with existing security infrastructures without requiring significant modifications to user devices or backend servers.

SUMMARY
[0019] An aspect of the present disclosure pertains to the field of biometric authentication systems and, more particularly, pertains to a system and method for secure multi-factor remote authentication to provide robust and reliable access control between a user device and a server.
[0020] An aspect of the present disclosure provides a multi-factor authentication protocol that enhances security by integrating biometric fingerprint verification, device-specific hardware fingerprint analysis using artificial intelligence models, and password validation. The system securely authenticates a user and verifies the authenticity of the user's device over a communication network, while also ensuring authentication of the server to the user.
[0021] The system includes an input device configured to receive biometric input from an entity, and a fingerprint scanner communicatively coupled to the input device, configured to capture fingerprint images. A processor operatively coupled to the input device creates a payload containing the captured fingerprint image and sends it to a server. The server communicatively coupled to the processor over a network extracts biometric features from the captured fingerprint image and compares them with a stored fingerprint template to verify the identity of the entity. Upon successful biometric verification, the server verifies the hardware device by running the fingerprint image through a deep learning model trained to detect the registered scanners. If the hardware fingerprint verification is successful. The server transmits a payload back to the processor containing the hash of its secret key. The processor then prompts the entity to enter a password.
[0022] In an aspect, the password entered by the user is securely combined with a server secret (i.e. a secret key) using a cryptographic hash function, creating a verification token. This ensures that neither the password nor the server secret is directly exposed or stored in retrievable form, providing enhanced resilience against brute-force and dictionary attacks.
[0023] In an aspect, the server, communicatively coupled to the processor via a communication network, processes authentication requests, verifies the identity of the user, and ensures integrity of the authentication request. The server authenticates itself to the user by transmitting a secure verification message. Upon successful mutual authentication, both the server and the user device derive a fresh session key, based on exchanged cryptographic parameters, for secure encrypted communication.
[0024] In an aspect, the system includes mechanisms for detecting security threats, including spoofing attempts, replay attacks, stolen device attacks, and man-in-the-middle attacks, by verifying biometric characteristics, device-specific hardware fingerprints, timestamp freshness, and verification hashes during the authentication protocol. The proposed system thereby enhances the robustness of remote authentication while maintaining scalability and compatibility with existing infrastructure.

BRIEF DESCRIPTION OF DRAWINGS
[0025] The accompanying drawings are included to provide a further understanding of the present disclosure and are incorporated in and constitute a part of this specification. The drawings illustrate exemplary embodiments of the present disclosure and, together with the description, serve to explain the principles of the present disclosure. The diagrams are for illustrative purposes only and are not intended to limit the scope of the disclosure.
[0026] FIG. 1 illustrates an exemplary network architecture of proposed multi-factor authentication system, in accordance with an embodiment of the present disclosure.
[0027] FIG. 2 illustrates functional units of proposed multi-factor authentication system, in accordance with an embodiment of the present disclosure.
[0028] FIG. 3 illustrates a flow diagram of the proposed method for secure multi-factor remote authentication, showing steps of biometric feature extraction, hardware fingerprint verification, password validation, and secure session establishment, in accordance with an embodiment of the present disclosure.
[0029] FIG. 4 illustrates an exemplary Mobile Inverted Bottleneck Convolution (MBConv) block structure utilized in deep learning models for fingerprint scanner identification, in accordance with an embodiment of the present disclosure.
[0030] FIG. 5 illustrates an exemplary residual block structure used in convolutional neural networks for fingerprint verification, in accordance with an embodiment of the present disclosure.
[0031] FIGs. 6A and 6B illustrate exemplary graphical representations of loss and accuracy curves for EfficientNetB3 model used for scanner identification, in accordance with an embodiment of the present disclosure.
[0032] FIGs. 6C and 6D illustrate exemplary graphical representations of loss and accuracy curves for MobileNet model used for scanner identification, in accordance with an embodiment of the present disclosure.
[0033] FIGs. 6E and 6F illustrate exemplary graphical representations of loss and accuracy curves for ResNet152 model used for scanner identification, in accordance with an embodiment of the present disclosure.
[0034] FIGs. 6G and 6Hillustrate exemplary graphical representations of loss and accuracy curves for the ResNet50 model used for scanner identification, in accordance with an embodiment of the present disclosure.
[0035] FIGs. 6I and 6J illustrate exemplary graphical representations of loss and accuracy curves for the VGG16 model used for scanner identification, in accordance with an embodiment of the present disclosure.
[0036] FIGs. 6K and 6L illustrate exemplary graphical representations of loss and accuracy curves for the LeNet5 model used for scanner identification, in accordance with an embodiment of the present disclosure.
[0037] FIG. 7 illustrates an exemplary graphical representation of Receiver Operating Characteristic (ROC) curves comparing performance of different deep learning classifiers used for scanner identification, in accordance with an embodiment of the present disclosure.
[0038] FIG. 8 illustrates an exemplary computer system architecture including processing, storage, and communication components usable for implementing embodiments of the present disclosure.

DETAILED DESCRIPTION OF THE PRESENT INVENTION
[0039] The following is a detailed description of embodiments of the disclosure represented in the accompanying drawings. The disclosed embodiments are merely exemplary of the invention, which may be embodied in various forms. The embodiments are presented in sufficient detail to clearly communicate the disclosure. However, the amount of detail offered is not intended to limit the anticipated variations of embodiments; on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the present disclosure as defined by the appended claims.
[0040] An embodiment of the present disclosure pertains to the field of biometric authentication systems and, more particularly, relates to a system and method for secure multi-factor remote authentication that enhances access control between a user device and a server.
[0041] The multi-factor authentication system includes an input device configured to receive biometric input from an entity and a fingerprint scanner communicatively coupled to the input device for capturing fingerprint images. The captured fingerprint image is securely transmitted to a server over a communication network. The server is configured to extract biometric features from the received fingerprint image and compare the extracted features with a stored fingerprint template to verify the identity of the entity. Upon successful verification, the fingerprint image is passed to a deep learning model that verifies the fingerprint scanner. The server then sends a payload containing its secret key to the processor. The authentication system includes multiple processing modules that facilitate secure communication, encryption, and authentication request preparation.
[0042] Upon receiving the captured fingerprint image from the authentication system, the server extracts biometric features from the fingerprint image and compares the extracted features with stored fingerprint templates to verify the identity of the entity. Subsequently, the server verifies the scanner by running the fingerprint image through a deep learning model trained to identify scanner-specific characteristics. This helps in verifying the authenticity of the fingerprint scanner and associated user device.
[0043] If both biometric verification and hardware fingerprint verification are successful, the server initiates a challenge-response protocol wherein the authentication system prompts the entity to enter a password. During registration, the authentication system securely combines a hash of the user's password with a hash of a server-side secret to create a verification token. This token is used during authentication without exposing the raw password or the server secret, thereby enhancing resistance to brute-force and dictionary attacks.
[0044] In an embodiment, authentication validity is determined based on three factors: (i) biometric fingerprint verification, (ii) hardware fingerprint verification, and (iii) password verification based on secure token matching. Access is granted only when all three authentication factors are successfully validated. Otherwise, access is denied.
[0045] In an embodiment, the server is communicatively coupled to the authentication system over a communication network, and receives the authentication request containing the identity parameters, timestamps, and cryptographic hash values. The server decrypts the authentication request using a shared key and verifies the integrity and freshness of the request.
[0046] Upon successful decryption, the server processes the received fingerprint image and compares it with existing fingerprint templates to verify biometric authenticity and then runs the same image through a deep learning model to verify and re-validate the device identity based on extracted hardware fingerprint features.
[0047] Following successful mutual authentication, the server generates a session key, which is securely exchanged with the user device. The session key enables encrypted communication between the server and the user device for the duration of the authenticated session.
[0048] In an embodiment, the authentication system and server also incorporate mechanisms to detect and flag irregularities in authentication requests, such as mismatched timestamps, invalid hash values, or anomalies in biometric and hardware fingerprint data, to mitigate risks of spoofing, replay, or man-in-the-middle attacks.
[0049] Accordingly, the present disclosure provides a robust, secure, and scalable method for multi-factor remote authentication, ensuring mutual authentication between a user device and a server and establishing a secure session key for encrypted communication.
[0050] Referring to FIG. 1, an exemplary network architecture of proposed multi-factor authentication system 102 is disclosed. The system 102 includes an input device 104 configured to receive biometric input from an entity, and a fingerprint scanner 106 communicatively coupled to the input device 104. The fingerprint scanner 106 is configured to capture a fingerprint image from the entity upon receipt of the biometric input through the input device 104.
[0051] In an exemplary embodiment, the input device 104 may be a touchscreen, keypad, or other user interface device integrated into a smartphone, tablet, laptop, or standalone authentication terminal.
[0052] In an exemplary embodiment, the fingerprint scanner 106 may be an optical scanner, capacitive scanner, or ultrasonic scanner, configured to capture high-resolution fingerprint images for authentication. The selection of the scanner type depends on security requirements, with ultrasonic and capacitive scanners offering higher resistance to spoofing attacks compared to optical variants.
[0053] In addition, the system 102 includes one or more processor(s) 108 operatively coupled to the input device 104 and the fingerprint scanner 106. The captured fingerprint image is securely transmitted to a server 120 through the processor 108 over a communication network 110. The processor 108 enhances security by integrating biometric fingerprint verification, hardware fingerprint analysis, and password validation and facilitates communication between the input device 104 and the fingerprint scanner 106.
[0054] In an embodiment, the communication network 110 can be a wireless network, a wired network or a combination thereof that can be implemented as one of the different types of networks, such as Intranet, Local Area Network (LAN), Wide Area Network (WAN), Internet, and the like. Furthermore, the communication network 110 can either be a dedicated network or a shared network. The shared network can represent an association of different types of networks that can use variety of protocols, for example, Hypertext Transfer Protocol (HTTP), Transmission Control Protocol/Internet Protocol (TCP/IP), Wireless Application Protocol (WAP), and the like.
[0055] Referring to FIG. 2, exemplary functional units of proposed multi-factor authentication system 102 are disclosed. The processor 108 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, logic circuitries, and/or any devices that manipulate data based on operational instructions. Among other capabilities, the processor 108 may be configured to fetch and execute computer-readable instructions stored in a memory 204. The memory 204 may store one or more computer-readable instructions or routines, which may be fetched and executed to manage multi-factor authentication. The memory 204 may include any non-transitory storage device including, for example, volatile memory such as Random Access Memory (RAM), or non-volatile memory such as an Erasable Programmable Read-Only Memory (EPROM), flash memory, and the like.
[0056] In an embodiment, the processor 108 may also include an interface(s) 206. The interface(s) 206 may include a variety of interfaces, for example, interfaces for data input and output devices, referred to as Input/Output (I/O) devices, storage devices, and the like. Examples of such components include but are not limited to, processing engine(s) 208 and a database 210.
[0057] In an embodiment, the processing engine(s) 208 may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processing engine(s) 208. In other embodiments, the processing engine(s) 208 may be implemented by electronic circuitry. The database 210 may include data that is either stored or generated as a result of functionalities implemented by any of the components of the processing engine(s) 208. In some embodiments, the processing engine(s) 208 may include a biometric processing module 212, a hardware fingerprint processing module 214, a credential validation module 216, an authentication management module 218, a server-side management module 220, and other module(s) 222. The other module(s) 222 may implement functionalities that supplement applications/functions performed by the system 102.
[0058] In an embodiment, the biometric processing module 212 is configured to extract one or more biometric features from the captured fingerprint image. These biometric features may include unique ridge patterns, minutiae points, and other distinguishing characteristics that define fingerprint of an individual and compare the extracted biometric features with a stored fingerprint template to verify identity of the entity.
[0059] In an embodiment, the hardware fingerprint processing module 214 is configured to verify the hardware fingerprint from the captured fingerprint image with help of a deep learning model, ensuring an additional layer of security beyond biometric authentication. This hardware fingerprint processing module 214 operates only after a successful biometric fingerprint comparison, confirming the identity of the entity before proceeding to hardware-based verification.
[0060] The hardware fingerprint processing module 214 makes use of the deep learning model to verify the hardware fingerprint from the captured fingerprint image for device authentication. The model is trained with a set of fingerprint images from varying scanners which gives it the ability to distinguish between these devices that are registered initially. This comparison allows the system 102 to verify whether the fingerprint scanner 106 being used for authentication is an authorised and recognised device. This helps to further strengthen security by detecting potential spoofing attempts or unauthorised device usage. By incorporating hardware fingerprint verification, this hardware fingerprint processing module 214 ensures that authentication is bound not only to biometric identity of the entity but also to the specific fingerprint scanner used, preventing unauthorised access through cloned or manipulated biometric data.
[0061] In an embodiment, the credential validation module 216 is utilised only after the hardware fingerprint comparison is successful, ensuring that the authentication process progresses in a stepwise manner, reinforcing security at multiple levels. Upon successful verification of biometric fingerprint of the entity and the hardware fingerprint, the credential validation module 216 prompts the entity to enter a password. This password is further compared with the stored password credentials associated with the entity. The credential validation module 216 verifies whether the entered password matches the corresponding stored credential, confirming identity of the entity.
[0062] By integrating password validation with biometric and hardware fingerprint verification, the credential validation module 216 enhances security by requiring the entity to prove knowledge of a secret credential in addition to their biometric and device-specific identity. This mitigates risk of unauthorised access even if one authentication factor is compromised, ensuring a robust multi-factor authentication mechanism.
[0063] In addition, the credential validation module 216 is also configured to receive a cryptographic hash generated using a secret key (i.e. server secret) stored at the server 120, generate a verification token by applying a cryptographic hash function to the received password and the received cryptographic hash, and validate the identity of the entity based on the verification token, without storing or exposing the password or the secret key. For instance, verification token, rather than the password itself, is stored on the user’s device. During authentication, the token is recomputed and verified, thereby ensuring that neither the server’s secret nor the user’s password is directly exposed or retrievable, thereby enhancing resistance to brute-force and dictionary attacks.
[0064] In an embodiment, the authentication management module 218 is configured to determine authentication validity based on multiple verification factors. This authentication management module 218 evaluates the biometric fingerprint comparison, the hardware fingerprint verification, and the password verification to ensure that all authentication criteria are met before granting access. The authentication management module 218 processes the verification results and determines whether authentication is successful or has failed. Access is granted only if all three authentication factors, the biometric fingerprint comparison, the hardware fingerprint verification, and the password verification are validated successfully. If any one of these comparisons fails, access is denied, preventing unauthorised entry.
[0065] Additionally, the authentication management module 218 incorporates an advanced security feature for detecting spoofing attempts. This analysis includes inconsistencies in the extracted biometric features or the hardware fingerprint to identify potential fraudulent activities. If discrepancies are detected, the system 102 may flag the authentication attempt as suspicious and take necessary security measures to prevent unauthorised access. This ensures a higher level of protection against spoofing attacks and enhances reliability of the authentication system.
[0066] In an embodiment, the server-side management module 220 is configured for processing authentication requests, verifying identities, ensuring data integrity, and enabling secure communication between the input device 104 and the server 120. This begins by receiving an authentication request from the processor 108, which includes details such as the identity of the entity, the identity of the server 120, and one or more cryptographic hash values to maintain data integrity. The server-side management module 220 checks whether the request has been modified during transmission. Upon receiving the request, the server 120 decrypts it using a shared key to ensure confidentiality and prevent tampering. After decryption, the server-side management module 220 verifies the identity of the entity, the identity of the server 120, the timestamp, and the hash value. The timestamp validation helps prevent replay attacks by ensuring that the request is recent. Following successful validation, the server 120 performs biometric fingerprint verification using a verification function and authenticates the entity. Subsequently, a deep learning model analyses characteristics of the fingerprint scanner to verify the authenticity of the hardware fingerprint. Upon successful biometric fingerprint and hardware fingerprint verification, the server generates a cryptographic hash using a secret key stored on the server 120 and transmits a response payload containing the cryptographic hash to the input device 104.
[0067] Once the fingerprint and hardware authenticity are verified and the response payload is received, the credential validation module 216 prompts the entity to enter a password. The input device 104 then receives this password and uses the cryptographic hash received from the server to generate a verification token by applying a cryptographic hash function to both the password and the received cryptographic hash. The identity of the entity is validated based on this verification token, without storing or exposing the password or the secret key. This ensures confidentiality and protection of sensitive credentials. The input device 104 transmits an authentication response including the generated verification token, the identity of the server 120, the entity’s identity, the timestamp, and a hash value. The server 120 verifies this response and confirms authentication of the input device 104. Upon successful mutual authentication, the server-side management module 220 derives a session key unique to the authentication session. This session key is then used to encrypt further communication between the input device 104 and the server 120, ensuring secure data exchange.
[0068] Additionally, the server-side management module 220 is capable of detecting and flagging irregularities in authentication requests. This includes checking for mismatched timestamps, invalid hash values, and anomalies that could indicate fraudulent activity. If any such irregularities are detected, the authentication attempt is immediately rejected to prevent unauthorised access. This multi-layered authentication mechanism ensures robust security by combining biometric identity verification, hardware fingerprint verification, secure password validation using cryptographic hashing, and anomaly detection.
[0069] The incorporation of biometric fingerprint verification, hardware fingerprint analysis, and password verification in the system 102 enhances its resistance to spoofing and unauthorised access. The system 102 is configured to be integrated into various consumer electronic devices such as smartphones, tablets, and laptops, thereby improving security of these devices by requiring authentication through both the user's fingerprint and a unique hardware-specific signature. This multi-factor approach ensures that even if one authentication factor is compromised, access remains restricted, thereby offering a highly secure solution for both personal and enterprise applications.
[0070] Referring to FIG. 3, a flow diagram of the proposed method 300 for multi-factor authentication is disclosed. The method 300 begins with receiving at step 302, by a processor 108, biometric input from an entity using an input device 102.
[0071] Continuing further, at block 304, the method 300 includes capturing, by the processor 108, a fingerprint image from the entity using a fingerprint scanner 106, which is communicatively coupled to the input device 104, upon receipt of the biometric input.
[0072] Continuing further, at block 306, the method 300 includes generating a payload comprising the captured fingerprint image by a processor 108 operatively coupled to the input device 104 and the fingerprint scanner 106.
[0073] Continuing further, at block 308, the method 300 includes transmitting, by the processor 108, the payload to a server 120 for biometric identity verification. The server 120 extracts one or more biometric features from the fingerprint image, received through the payload. The server 120 compares the extracted biometric features with a stored fingerprint template to verify identity of the entity.
[0074] Continuing further, at block 310, the method 300 includes transmitting, by the server 120, the fingerprint image to a deep learning model, upon successful biometric identity verification, to extract and analyse one or more hardware-specific features to verify the authenticity of the fingerprint scanner 106. The hardware fingerprint is unique to the fingerprint scanner 106.
[0075] Continuing further, at block 312, the method 300 includes receiving, by the server 120, a password from the entity upon successful verification of the biometric identity and authenticity of the fingerprint scanner 106. Upon receiving the password, the server 120 generates a cryptographic hash using a secret key stored securely on the server 120. A verification token is then generated by applying a cryptographic hash function to the received password and the generated cryptographic hash. The identity of the entity is validated based on this verification token, without storing or exposing the password or the secret key at any point in the process.
[0076] Continuing further, at block 314, the method 300 includes comparing 314, by the server 120, the received password with stored password credentials to validate the identity of the entity.
[0077] Continuing further, at block 316, the method 300 includes evaluating by the server 120, the biometric fingerprint comparison, the hardware fingerprint verification, and the password verification to determine authentication validity, and indicating either successful access or authentication failure based on the evaluation.
[0078] Continuing further, at block 316, the method 300 includes granting access if the biometric fingerprint comparison, the hardware fingerprint verification, and the password verification are valid. In addition, denying access, if at least one of the biometric fingerprint comparison, the hardware fingerprint verification, or the password verification fails.
[0079] In an embodiment, the method 300 includes generating a cryptographic hash using a secret key (i.e. server secret) stored on the server 120, transmitting a response payload including the cryptographic hash to the processor 108 upon successful biometric fingerprint comparison and hardware fingerprint verification.
[0080] In an embodiment, the method 300 includes processing and verifying an authentication request received from the processor 108. The server 120 first decrypts the authentication request using a shared key and verifies various parameters, including identity of the entity, identity of the server 120, and timestamp, and one or more cryptographic hash values, ensuring integrity of the authentication request. After successful decryption, the server 120 performs fingerprint verification by applying a verification function and processes the fingerprint image through a deep learning model to authenticate the entity and the scanner 106, respectively.
[0081] Once authentication is successful, the server 120 generates a response message (i.e. response payload) that includes a hashed password and a verification hash, which is then transmitted back to the input device. The server 120 further verifies the authentication response received from the input device by validating the identity of both the entity and the server 120, along with the timestamp and hash value. If this verification is successful, the server 120 authenticates itself to the input device 104. Further, the server 120 generates a session key, which is unique for each authentication session, ensuring secure communication between the input device and the server.
[0082] In an embodiment, the method 300 further includes detecting and flagging irregularities in authentication requests by checking for mismatched timestamps, invalid hash values, and anomalies that may indicate fraudulent activity. If any such irregularities are detected, the authentication request is immediately rejected to prevent unauthorised access.
[0083] In an exemplary implementation, multiple deep learning models, including EfficientNetB3, MobileNet, ResNet (ResNet50, ResNet152), VGG16, and LeNet-5, are utilised as classifiers for fingerprint scanner identification. The analysis of these models reveals significant differences in their performance for the multiclass classification task.
[0084] EfficientNetB3, belongs to the EfficientNet family (EfficientNetB0 to EfficientNetB7), employs compound scaling to balance network depth, width, and input resolution. Instead of scaling these dimensions individually, it uses a compound coefficient (ϕ) to scale all three dimensions simultaneously, as represented in equation (1).
d = αϕ, w =βϕ, r = γϕ (1)
where d is the network depth, w is the network width, r is the input resolution, α, β, γ are constants and ϕ is the compound coefficient controlling the scaling across all dimensions.
[0085] An architecture of MBConv Block is shown in FIG. 4, which is core of EfficientNetB3. This block uses an inverted residual structure, initially introduced in MobileNetV2, where the number of channels is first expanded, then processed using Depthwise Convolution, and finally compressed back to its original size. The MBConv block also integrates Squeeze-and-Excitation (SE) mechanisms, which improve feature selection and stability during training. The MBConv operation is represented in equation (2):
MBConv(x) = x+Swish(F(x)) (2)
where x is the input tensor and F(x) represents the expansion, depth wise convolution and compression.
[0086] Squeeze-and-Excitation (SE) Block, illustrated in FIG. 5, applies global average pooling followed by an excitation mechanism using fully connected layers. This process is mathematically expressed in equation (3):
z = σ(W2.ReLU(W1.GlobalAVgPool(x))) (3)
where x is the input feature map, W1 and W2 are learnable weight matrices, and σ is the sigmoid activation.
[0087] The Swish activation function, used in EfficientNetB3, is a non-monotonic alternative to ReLU, allowing smoother gradient flow, as shown in equation (4):
Swish(x) = x.σ(x) (4)
[0088] In an exemplary implementation, MobileNet is a part of lightweight deep neural networks developed by Google, mainly for vision based applications involving images. This focuses on optimising speed and efficiency without making any compromises on accuracy. The architecture uses depthwise separable convolutions, which split the standard convolution operation into two smaller operations: depthwise convolution and pointwise convolution. The depthwise convolution is configured for filtering the input channels separately. The result from this depthwise convolution is an output with the same number of channels as the input. The pointwise convolution includes applying a 1x1 convolution filter across all the channels of the input, thereby mixing them to produce the output. This makes it computationally lighter as it includes only a simple multiplication per pixel. However, important to combine the information from different channels. Thus, the working of a convolution layer is carried out, but the process of splitting it into two different operations involving depthwise convolution and pointwise convolution reduces the number of parameters and the computational cost, making MobileNet a suitable architecture to be deployed in cases of constrained computational resources. This may be deployed in devices with low computational power, such as a Raspberry Pi.
[0089] In an exemplary embodiment, MobileNet is optimised for speed and efficiency, making it suitable for resource-constrained devices such as Raspberry Pi. It achieves this by using Depthwise Separable Convolutions, which split a standard convolution into two operations: Depthwise Convolution (applied to individual channels) and Pointwise Convolution (1×1 convolution to mix channel information). This drastically reduces the number of parameters and computational cost.
[0090] In an exemplary embodiment, Residual Networks (ResNet), including ResNet50 and ResNet152, introduce residual learning to overcome vanishing gradient issues in deep networks. This is done using skip connections, where the input is directly added to the output of a residual block, as shown in equation (5):
Output = F(x)+x (5)
F(x) represents the function learned by the residual block and x is the input to the block.
[0091] In an exemplary embodiment, in skip connection mechanism, ResNet152 provides better accuracy but requires higher computational resources, while ResNet50 balances efficiency and accuracy, making it suitable for applications with limited resources.
[0092] In an exemplary embodiment, VGG16 consists of 16 layers (13 convolutional + 3 fully connected layers) and utilises small 3×3 convolution filters, repeated multiple times, to improve hierarchical feature extraction. Despite being computationally expensive, VGG16 is widely used for transfer learning and feature extraction.
[0093] In an exemplary embodiment, LeNet-5, one of the earliest convolutional neural networks (CNNs), has seven layers and is primarily used for lightweight image recognition tasks. This consists of convolutional layers, pooling layers, and fully connected layers. Though less complex than modern architectures, this is useful for efficient real-time applications with constrained computational power. By integrating these architectures, the system 102 ensures optimal fingerprint scanner identification, utilising compound scaling of EfficientNetB3 efficiency of MobileNet, residual learning of ResNet, deep hierarchical features of VGG16, and lightweight structure of LeNet-5.
[0094] In an exemplary embodiment, the proposed system 102 authenticates both the user and device of the user, ensuring a higher level of security. Furthermore, this enables mutual authentication, where the server 120 or verifier is also authenticated. During a registration phase, the user scans his finger and produces n number of images and transmits a message EKUS {IDuser, IDserver, TU, (I..In), H(Su), Hsig} to the server, where IDuser is identity of the user, IDserver is the identity of the server 120, TU is the timestamp of the user and Hsig = H(IDuser, IDserver,(I..In), TU, KUS). Upon successful decryption and verification, the deep learning model Deepmodel is trained on fingerprints of the user captured from the device. Further, the server 120 generates a secret SS and computes Secverify = H(H(SS), H(SU)) and stores IDserver, Secverify and H(SS). Further, the server 120 transmits the message EKUS {IDserver, IDuser, TS, H(SS), Hsig} to the user or device of the user. This is essential that the registration phase is conducted over a secure communication channel to ensure data integrity and to prevent potential attacks.
[0095] In an exemplary embodiment, in a mutual authentication phase, the user scans his finger and device computes signature Hsig, which is hash value of identity of the user IDuser, identity of the server/verifier IDserver, time stamp TU, fingerprint image IF and the shared key of the user and the server KUS. Further the device transmits the message EKUS {IDuser, IDserver, TU, IF, Hsig} to the server 120. Upon receiving the message, the server 120 decrypts it using the shared key KUS and verifies IDuser, IDserver, TU, and Hsig. Further, the server 120 performs fingerprint identification using the function Fver. Upon successful verification, the image is fed to the deep learning model DeepModel. Upon successful verification of the hardware fingerprint by the model, the server 120 transmits back its password in the form of a hash value H(Ss) in the message {IDserver,IDuser, Ts, H(Ss),Hsig}. Upon receiving the message from the server 120, the device verifies IDuser, IDserver, , Ts, and Hsig. Upon successful verification, the user is prompted to enter password SU. Further, the device computes Secverify = {H(H(SS), H(SU)} and verifies it with the stored value (Secverify) stored in device of the user at the time of registration but not the password SU. Upon successful verification, the server/verifier is authenticated to the user. Moreover, it computes the session key as Ksession = H(Secverify,TU,TS). This is also ensured that the session key Ksession is fresh for each session. Similarly, the server 120 computes the session key by retrieving the hash of password of the user from its database as Secverify = {H(H(SS), H(SU)}. Now both entities may securely communicate with each other using the session key Ksession.
[0096] In an exemplary embodiment, the system 102 demonstrates resilience against spoofing attacks, where an adversary, denoted as Adv, successfully spoofs the fingerprint of the user and transmits the message EKAadv{IDuser, IDserver,TU′, IF, Hsig}, where KAadv is the key shared between the adversary and the server 120. Although this message may pass the fingerprint verification Fver(IF′) authentication, it may eventually fail when the server 120 attempts to verify the hardware fingerprint of the device Identified = DeepModel(IF′).
[0097] In an exemplary embodiment, the system 102 demonstrates resilience to stolen device attack, where Adv captures the device of the user and tries to authenticate using a 3D model of fingerprint of the user, the attempt of Adv may succeed to receive a message from the server. Eventually attempt of the Adv may fail to generate the session key Ksession as the password of the user SU is unknown to the Adv.
[0098] In an exemplary embodiment, the system 102 demonstrates resilience to replay attack, where Adv tries replay an old message sent by the user in the previous run of the protocol as EKUS {IDuser, IDserver, TU, IF, KUS}. The attempt fails when the server 120 verifies the timestamp TU and the message will be discarded. 4) Resilience to Man in The Middle Attack: Suppose an active Adv listening to the channel successfully computes the key KUS, Adv will not be able to compute the session key as H(SU) is unknown to it. This ensures, forward secrecy property of the protocol.
[0099] In an exemplary embodiment, the system 102 demonstrates resilience to fingerprint forgery attack. This is difficult for an adversary to produce fingerprint image with forged hardware fingerprint by extracting fingerprint from other images taken using the same scanner as the images are not available online. For instance, the Adv succeeds in producing a fingerprint image which has forged hardware fingerprint quite closer to the original hardware fingerprint and sends the message EKAadv {IDuser, IDserver, T′U, I′F, K KAadv } to the server 120. This may pass user and device authentication and may fail in producing a session the Adv doesn’t possess password of the user.
[00100] In an exemplary embodiment, the system 102 demonstrates resilience to brute force attack. For instance, when Adv is trying to brute force the password SU of the user by stealing the device of the user. The Adv may find Secverifiy which is a hash of password of the user SU and hash of secret of server SS. This is impossible to find a password that matches Sec key verify for Adv to figure out the SU without knowledge of the secret of server H(SS).
[00101] In an exemplary embodiment, distribution of images across different fingerprint scanners are disclosed in Table 1.
Table 1: Distribution of images across different fingerprint scanners
Fingerprint Scanner Number Of Images
R307-1 279
R307-2 290
R307-3 180
R307-4 170
R307-5 170
R307-6 170
R307-7 180
R307-8 170
R307-9 210
R307-10 200
Total 2019

[00102] In an exemplary implementation, fingerprint scanning is conducted using a Raspberry Pi 3 device along with 10 R307 fingerprint scanners for data collection. The models are trained in Google Colab, utilizing a Tesla T4 GPU (15GB GPU RAM), 13GB system RAM, and an Intel(R) Xeon(R) CPU @ 2.30GHz (1 core processor). Six models are trained from scratch, including EfficientNetB3, MobileNet, ResNet152, ResNet50, VGG16, and LeNet-5. The dataset is created by collecting fingerprint samples from 10 R307 scanners, each labeled from 1 to 10. The images are stored in bitmap (BMP) format with a resolution of 288 × 256 pixels. Each user provides approximately 10 fingerprint samples per scanner. Table 1 provides details on the number of fingerprint samples collected per scanner. Model weights are updated using the mini-batch gradient descent algorithm with batch sizes of 8 or 32, depending on the computational cost of the model. Training is performed on raw data without data augmentation.
[00103] EfficientNetB3 achieves the second-highest score across all evaluation metrics. The loss steadily decreases as the number of epochs increases, while accuracy rises quickly and stabilizes around 0.90 for both training and validation datasets. The loss and accuracy graphs, shown in FIGs. 6A and 6B, demonstrate good convergence and generalization. The area under the curve (AUC) score of 0.99 further supports its strong classification performance and generalizability.
[00104] Among all models, MobileNet proves to be the most robust, delivering consistent performance across evaluation metrics. Its loss and accuracy graphs, shown in FIGs. 6C and 6D, indicate a rapid initial decrease in loss and a steady increase in training accuracy. The model exhibits fast learning and shows minimal overfitting, as observed from the small gap between training and validation accuracy.
[00105] The loss and accuracy graphs for ResNet152, ResNet50, LeNet-5, are illustrated in FIGs. 6E-6F, FIGs. 6G-6H, and FIGs. 6K-6L, respectively. VGG16 performs comparably to EfficientNetB3 when processing single-channel (grayscale) images. However, when processing three-channel (RGB) images, its performance is slightly lower, though still consistent across evaluation metrics. The loss and accuracy graphs for VGG16, depicted in FIGs. 6I-6J, demonstrate good convergence, indicating effective generalization.
[00106] FIG. 7 illustrates the ROC curves for multiclass classifiers. The ROC analysis indicates that ResNet-based models are not well-suited for this task. In contrast, MobileNet and EfficientNetB3 achieve high performance across evaluation metrics while maintaining computational efficiency. Due to its superior balance between accuracy and efficiency, MobileNet is identified as the most suitable model for deployment in practical applications.
[00107] FIG. 8 illustrates an exemplary computer system architecture including processing, storage, and communication components usable for implementing embodiments of the present disclosure.
[00108] As shown in FIG. 8, the computer system 800 may include an external storage device 810, a bus 820, a main memory 830, a read-only memory 840, a mass storage device 850, communication port(s) 860, and a processor 870. A person skilled in the art will appreciate that the computer system 800 may include more than one processor and communication ports. The processor 870 may include various modules associated with embodiments of the present disclosure. The communication port(s) 860 may be any of an RS-232 port for use with a modem-based dialup connection, a 10/100 Ethernet port, a Gigabit or 10 Gigabit port using copper or fibre, a serial port, a parallel port, or other existing or future ports. The communication port(s) 860 may be chosen depending on a network, such as a Local Area Network (LAN), Wide Area Network (WAN), or any network to which the computer system 800 connects. The main memory 830 may be random access memory (RAM) or any other dynamic storage device commonly known in the art. The read-only memory 840 may be any static storage device(s), including, but not limited to, a Programmable Read Only Memory (PROM) chip for storing static information, e.g., start-up or basic input/output system (BIOS) instructions for the processor 870. The mass storage device 850 may be any current or future mass storage solution which may be used to store information and/or instructions.
[00109] The bus 820 communicatively couples the processor 870 with the other memory, storage, and communication blocks. The bus 820 can be, e.g., a Peripheral Component Interconnect (PCI) / PCI Extended (PCI-X) bus, Small Computer System Interface (SCSI), universal serial bus (USB), or the like, for connecting expansion cards, drives, and other subsystems as well as other buses, such a front side bus (FSB), which connects the processor 870 to the computer system 800.
[00110] Optionally, operator and administrative interfaces, e.g. a display, keyboard, and a cursor control device, may also be coupled to the bus 820 to support direct operator interaction with the computer system 800. Other operator and administrative interfaces may be provided through network connections connected through the communication port(s) 860. In no way should the aforementioned exemplary computer system 800 limit the scope of the present disclosure.
[00111] Thus, the present disclosure provides the system 102 and method 300 for robust multi-factor authentication by combining biometric fingerprint verification, hardware fingerprint analysis, and secure password validation.
[00112] While the foregoing describes various embodiments of the invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof. The scope of the invention is determined by the claims that follow. The invention is not limited to the described embodiments, versions, or examples, which are included to enable a person having ordinary skill in the art to make and use the invention when combined with information and knowledge available to the person having ordinary skill in the art.

ADVANTAGES OF THE PRESENT DISCLOSURE
[00113] The present disclosure provides a multi-factor remote authentication system and method that enhances security by combining biometric fingerprint verification, hardware fingerprint verification, and password validation.
[00114] The present disclosure provides a solution that reduces risk of unauthorized access by incorporating device-specific hardware fingerprinting.
[00115] The present disclosure provides a solution capable of detecting spoofing attempts by analyzing inconsistencies in biometric and hardware fingerprint data.
[00116] The present disclosure provides a solution that improves evaluation of authentication factors, ensuring a higher level of accuracy in access control.
[00117] The present disclosure provides a solution that verifies both identity of the entity and authenticity of scanner used for authentication, preventing unauthorized device usage.
[00118] The present disclosure provides a solution that improves security by performing hardware fingerprint verification using deep learning-based processing of biometric data on server side.
, Claims:1. A multi-factor authentication system (102) comprising:
an input device (104) configured to receive biometric input from an entity;
a fingerprint scanner (106) communicatively coupled to the input device (104), the fingerprint scanner (106) configured to capture a fingerprint image of the entity upon receipt of the biometric input through the input device (104);
a processor (108) operatively coupled to the input device (104) and the fingerprint scanner (106); and
a memory (204) operatively coupled to the processor (108), wherein the memory (204) comprises one or more processor-executable instructions which, when executed, cause the processor (108) to:
generate a payload comprising the captured fingerprint image; and
transmit the payload to a server (120) communicatively coupled to the processor (108), the server (120) configured to perform biometric identity verification by comparing the fingerprint image with a stored fingerprint template associated with the entity;
transmit the fingerprint image to a deep learning model upon successful biometric identity verification of the entity, the deep learning model configured to extract and analyse one or more hardware-specific features to verify authenticity of the fingerprint scanner (106);
receive a password from the entity, upon successful verification of the biometric identity and the authenticity of the fingerprint scanner (106);
compare the received password with stored password credentials to validate identity of the entity; and
evaluate the biometric fingerprint comparison, the hardware fingerprint verification, and the password verification to determine authentication validity,
wherein access is granted if the biometric fingerprint comparison, the hardware fingerprint verification, and the password verification are valid, and access is denied if at least one of the biometric fingerprint comparison, the hardware fingerprint verification, or the password verification fails.
2. The system (102) as claimed in claim 1, wherein the server (120) is further configured to:
generate a cryptographic hash using a secret key stored on the server (120); and
transmit a response payload comprising the cryptographic hash to the processor (108) upon the successful biometric fingerprint comparison, and the hardware fingerprint verification.
3. The system (102) as claimed in claim 2, wherein the processor (108) is further configured to:
receive the password entered by the entity;
generate a verification token by applying a cryptographic hash function to the received password and the received cryptographic hash; and
validate the identity of the entity based on the verification token, without storing or exposing the password or the secret key.
4. The system (102) as claimed in claim 1, wherein the server (120) is further configured to:
receive an authentication request from the processor (108), the authentication request comprising one or more identity parameters, a timestamp, and one or more cryptographic hash values;
decrypt the authentication request using a shared key;
verify integrity of the authentication request based on the received one or more cryptographic hash values and the timestamp;
upon successful decryption and verification, authenticate the biometric identity of the entity and the authenticity of the hardware fingerprint scanner;
transmit a verification message to the processor (108) to confirm authentication of the server (120);
upon successful mutual authentication between the server (120) and the processor (108), derive a session key based on the one or more cryptographic parameters, wherein the session key is configured to enable encrypted communication between the server (120) and the processor (108) during an authenticated session.
5. The system (102) as claimed in claim 4, wherein the server (120) is further configured to incorporate mechanisms to detect and flag irregularities in the authentication request.
6. A method (300) for multi-factor authentication, comprising:
receiving (302), biometric input from an entity using an input device;
capturing (304), a fingerprint image of the entity using a fingerprint scanner communicatively coupled to the input device, upon receipt of the biometric input;
generating (306), a payload comprising the captured fingerprint image by a processor operatively coupled to the input device and the fingerprint scanner;
transmitting (308), by the processor, the payload to a server for biometric identity verification, wherein the server compares the fingerprint image with a stored fingerprint template associated with the entity;
transmitting (310), by the server, the fingerprint image to a deep learning model, upon successful biometric identity verification, to extract and analyze one or more hardware-specific features to verify the authenticity of the fingerprint scanner;
receiving (312), by the server, a password from the entity, upon successful verification of the biometric identity and authenticity of the fingerprint scanner;
comparing (314), by the server, the received password with stored password credentials to validate the identity of the entity;
evaluating (316), by the server, the biometric fingerprint comparison, the hardware fingerprint verification, and the password verification to determine authentication validity;
granting access (318), if the biometric fingerprint comparison, the hardware fingerprint verification, and the password verification are valid, and denying access, if at least one of the biometric fingerprint comparison, the hardware fingerprint verification, or the password verification fails.
7. The method (300) as claimed in claim 6, wherein the server further comprises:
generating a cryptographic hash using a secret key stored on the server; and
transmitting a response payload comprising the cryptographic hash to the processor upon successful biometric fingerprint comparison and hardware fingerprint verification.
8. The method (300) as claimed in claim 6, wherein the server further comprises:
receiving the password entered by the entity;
receiving a cryptographic hash generated using a secret key stored at the server;
generating a verification token by applying a cryptographic hash function to the received password and the received cryptographic hash; and
validating the identity of the entity based on the verification token, without storing or exposing the password or the secret key.
9. The method (300) as claimed in claim 6, wherein the server further comprises:
receiving an authentication request from the processor, the authentication request comprising one or more identity parameters, a timestamp, and one or more cryptographic hash values;
decrypting the authentication request using a shared key;
verifying integrity of the authentication request based on the received one or more cryptographic hash values and the timestamp;
authenticating the biometric identity of the entity and the authenticity of the hardware fingerprint scanner, upon successful decryption and verification;
transmitting a verification message to the processor to confirm authentication of the server;
deriving a session key based on the one or more cryptographic parameters, upon successful mutual authentication between the server and the processor, wherein the session key is configured to enable encrypted communication between the server and the processor during an authenticated session.
10. The method (300) as claimed in claim 6, further comprises detecting and flagging irregularities in authentication requests.