DESC:FIELD OF INVENTION
[0001] The present invention relates to a method and system providing Biometrics Identification and Access Management (IAM) for secure transaction. Specifically, the present invention discloses an end-to-end (device to server) system comprising a robust biosensing edge device, server stack and soft-token through an authentication app.

BACKGROUND OF THE INVENTION
[0002] Traditional methods of authentication such as Passwords and Tokens/Character Grids/OTPs are proving increasingly ineffective. These methods are fraught with risks of identity theft and impersonation. Biometrics on the other hand, cannot be forgotten or shared and are an effective method of performing reliable identification and preventing impersonation. Biometric authentication has been associated with wide range of applications includes Banking transaction, Server access through Biometric protection, ID recognition for personal devices, protection of confidential files and resources in a shared environment and many more.

[0003] The Biometric solution is based on two technology pillars: Public Key Infrastructure (PKI) and Biometric Authentication using finger-print sensor. PKI is widely adopted across the world to deliver the key elements essential for a secure and trusted network environment for applications like e-commerce, IoT and many more. Further it establishes the identity of people, devices and services by enabling controlled access to systems and resources, protection of data, ensuring accountability in transactions. Therefore, PKIs are the foundation which enables the use of technologies (like encryption, digital signatures) across the wide user population.

[0004] Several prior-arts discuss on methods, system and device for biometric authentication, identification and access. Patent application US11023704B2 [1] discusses biometric sensing device that combines sensing with an actuator for two-way communication between a finger on the surface and the device.

[0005] The patent application US10404464B2 [2] discusses the method and system for registration of encrypted biometric templates in a computing device to accomplish Fast Identity Online (FIDO) compliant biometric authentication. Similarly, patent application US11036870B2 [3] discusses method and system for secure device-based authentication scheme. It comprises a storage unit for storing encrypted biometric template and processing module.

[0006] The patent application TWI769290B [4] discusses the aspects of biometric sensing device and method of biometric authentication. It describes the aspects of Biosensing device sensor, ultrasonic fingerprint sensor configured to transmit ultrasonic signals to the surface.

[0007] Another patent application US11343099B2 [5] discusses system and method for securing personal information through biometric public key. Various usecases are disclosed including: enrolment, authentication, establishing a secure communication channel and cryptographically signing a message.

[0008] The patent application US20220129532A1 [6] discusses Biometric identification platform with an improved authentication, identification, and verification. A combination of biometric modalities and authentication mechanisms are utilized to establish identity management and access provisioning.

[0009] It has been observed from prior-art that none of the existing methods and system supports a comprehensive end-to-end security mechanism for Biometric Identity and Access Management (IAM) scheme.

[0010] Considering all the drawbacks and gap analysis in the existing methods and system, the present invention has developed a secure Biometric IAM system for identification, authentication, transaction authorization and secure signing. It includes Hard-token through a portable Biosensing edge device, Server stack and Soft-token through authenticator App.

OBJECTIVE OF THE INVENTION
[0011] The primary objective of the present invention is to develop a highly secured end-to-end (device to server) Biometric Information and Access Management (IAM) system comprising portable biometric device, server stack and authentication app.

[0012] Another objective of the invention is to develop a system for password-less user access through a robust, secure and portable biometric device and support digital signature for transaction authorization.
[0013] Another objective of the invention is to provide a cost-effective, secure and highly efficient system for an individual or enterprise without any dependency on username/password.
SUMMARY OF THE INVENTION
[0014] The following summary is provided to facilitate a clear understanding of the new features in the disclosed embodiment and it is not intended to be a full, detailed description. A detailed description of all the aspects of the disclosed invention can be understood by reviewing the full specification, the drawing and the claims and the abstract, as a whole.

[0015] To meet the objectives, the present invention implements a method and system comprising biometric edge device, server stack and authentication app. The system meets the requirements of FIDO (Fast Identity Online) alliance with PKI (Public Key Infrastructure) and Biometric at its core.

[0016] The present invention enables a multi-layer of authentication from device provisioning phase to server stack level. The system supports Hard Token (hardware authenticator) and Soft Token (Authenticator running on a mobile phone) as edge devices. Hard Token used in the system, is a FIDO2 level-2 certified authenticator. Soft Token uses FIDO2 implementation provided by Android and iOS.

[0017] The system on chip (SoC) module in the present invention is specifically designed and developed to encrypt, store and protect the fingerprint data. It is highly impossible for hacker/attacker to steal the stored fingerprint data.

[0018] In addition to using the combination of PKI and Biometric, the system adds many novel aspects to satisfy the more stringent requirements of an Enterprise employee/ customer (including the Banking sector). The present invention also supports audit and administrability needs of the industry, adopting multiple innovative features.

[0019] The present invention embedded with a crypto controller module using advance digital security technology. It provides fully encrypted data path with encrypted calculation in the CPU. Therefore, it greatly protects the device from wide spectrum of potential attacks. Similarly, the match-in finger print sensor module operates on ‘patented 3D technology’ for detecting variations. It is vastly different to any 2D technology with higher resolution.
[0020] The disclosed invention supports package of services which includes: a) Workforce Identity and Access Management (WIAM) which can be used by client enterprise (including banks) employees. b) Customer Identity and Access Management (CIAM) which can be used by Client’s customers. c) Certifying Authority (CA).
BRIEF DESCRIPTION OF DRAWINGS
[0021] Fig. 1 illustrates components of Biometric IAM system in accordance to the present invention;
[0022] Fig 2a illustrates Biometric Edge device with USB Type C connector in accordance to the present invention;
[0023] Fig 2b illustrates Biometric Edge device with USB Type A connector in accordance to the present invention;

REFERENCE NUMERALS
Device 100
Server Stack 101
Public and Private Interface 102
DETAILED DESCRIPTION
[0024] The present invention provides various embodiments and aspects described in the subsequent paragraphs. The embodiments disclosed herein can be expressed in different forms and should not be considered as limited to the listed embodiments in the disclosed invention. The various embodiments outlined in the subsequent sections are construed such that it provides a complete and a thorough understanding of the disclosed invention, by clearly describing the scope of the invention, for those skilled in the art.

[0025] The proposed system implements the objectives using a method and system design that includes hardware/firmware configuration, software design, server deployment, establishing secure communication channel and plug-in modules/interfaces.

[0026] The present invention provides a robust device credentials provisioning system with multiple layers of security aspects. It is enabled with a device specific identification number ‘ChipId’ set during the device manufacturing phase. This unique ID is used towards device identification & authorisation during the whole product life cycle. This robust physically unclonable check for ‘ChipId’ protects the solution from vulnerable attacks from fake devices. A dedicated database has been built within the system framework to track, monitor and store all device credentials in a highly secured manner.

[0027] Further, the Biometric sensor module and Crypto controller module are paired during the process at Precision factory before supply to bank. Crypto controller verifies that the sensor connected to it has the same serial number as the one it was paired with during ‘Provisioning’. Server processes information received after validating that the secure controller and biometric sensor sending the message are paired correctly.

[0028] The proposed Biometric IAM system (100) supports the concept of an authorized ‘issuers’ who can communicate with the server or edge device (101). ‘Issuer’ is a partner who issues commands to the server or edge devices. Server stack and edge devices provide both public and private interface. Public interface can be used by anyone, but private commands need to be digitally signed by an issuer (102) that is known to the edge device. A facility is provided by which authorized issuers are defined for server environment & set inside an edge device.

[0029] The present invention supports application-level data encryption in Attest and Assert requests. PKI using advance cryptography uses signature to verify authenticity but rely on secure network layer (HTTPS) for encryption. Use of HTTPS in public network (over proxies) provides adequate opportunity for man-in-the middle attacks. In addition to network layer HTTPS encryption, TLS1.3 is adopted at the application layer to encrypt messages.

[0030] The developed Biometric IAM system enables Tamper Proofing. Immutable controller and sensor IDs of the device are captured during the ‘provisioning’ step. The information collected at the attestation and assertion steps are matched at server with the data of the ‘registered’ device before acceptance. Any discrepancy results in denial of service requested.
[0031] The method and system developed in Biometric IAM supports Controlled Fingerprint Enrolment. The system supports following scenarios:
[0032] In an enterprise, employees are allowed to enrol fingerprints when administrators authorize the operation (under their supervision).
[0033] In banking scenario, customers can alter fingerprints only till they accept terms and conditions for use (register their device with the bank).
[0034] Additional customer specific rules can be implemented at the server to auto-enable/ disable enrolment control.

[0035] The present invention enables a method to support Server end fingerprint validation. Though the sensor does not give out any fingerprint information, a Global Unique ID (GUID) for every fingerprint enrolled is stored in the server. During authentication, which fingerprint was used is sent to the server. This is validated at the server end to determine if it is a valid GUID issued by the server for this device.

[0036] The present invention provides end to end security. Communication from server to device can go through intermediaries (browser, driver). While the intermediaries will carry the messages, they cannot make sense of the message as it will be encrypted end-end (between server & the device). Data encryption is enabled ‘at rest’ and ‘in transit’ mode. All sensitive data stored in database is encrypted using ‘aesKey’ configuration. Similarly, encryption is performed ‘in transit’ mode – during communication using the concept of authorized ‘Issuer’. Even though we use HTTPS/ WSS to encrypt at network layer, additional mechanism to encrypt data at application layer. Data from edge device is encrypted by the device for server. Driver/ Browser (Man in the middle) cannot interpret data.

[0037] The present invention enables a method for Out-Of-Band communication. In a web application, communication with the server uses ‘in-band’ https. In addition to ‘in-band’ communication channel, an alternate ‘out-of-band’ secure WebSocket (wss) channel is established. This allows bidirectional communication (not just request/ response) and eliminates the man-in-the-middle attack risks.

[0038] In one embodiment of the present invention, password management is the key. Here the biometric key protects the users’ Passwords and Fingerprints inside the device in an encrypted form. User’s fingerprint, passwords are encrypted and stored locally in the device. This feature acts like a password manager to enable safe and secure login process for the end user, with additional features like strong password generator and isolating URL and username from Password, keeping them in different locations, making it more robust and secure. PKI is used to identify the device and user, through 2 different private keys that are generated and stored within the device during the user registration process.
[0039] Another key feature is File Encryption. The controller used in the biometric device is Certified to Common Criteria EAL 6+ (High Security) with a True Random Number Generation (TRNG) and AIS 20/31 PTG.2 Compliant. The device generates AES Keys to encrypt the file and the key is stored within the device, which is accessible only when the fingerprint is matched. User files can thus be encrypted, and the data made undecipherable to others.

[0040] In the present invention store certificate from CA is a key feature. The biometric device has the ability to store certificates issued by the Certifying Authority to enable digital signing. The trusted platform module enables the mentioned feature.

[0041] The present invention supports restrict servers with which device can communicate. Device maintains a list of authorized relying parties and public key for each of the RP. As no username/password is ever sent to a server, ‘phishing’ attacks are eliminated.

[0042] The present invention enables Fingerprint based rules method. In this method, server-side rules allow / disallow actions based on fingerprint type. For example, left thumb and index finger may be used to login, right hand fingers used for transaction approval and say ‘middle finger’ used to raise alarm and disable the device.
Working Example: Banking Transaction Authorization
[0043] The hard token (100) herein the key which is the biosensing edge device (101) is registered with the bank’s server with all its details like the device serial number which is unique for every single device, and it is allotted at the manufacturing stage, the digital certificate of the device which is also unique for each device. This information is paired with user data at the bank’s server stack of the said solution.

[0044] At the time of registration, the customer is allotted a biosensing edge device with all the data tagged for the customer. Once the customer receives the device from the bank, they enroll their fingerprint to enable the device to initiate IAM.

[0045] When the customer initiates the authorization process, the registered device first communicates with the server stack (Bank side Framework) and reconfirms the unique ID of the device (the ID is stored in the Banks’s server). The verification not only happens to confirm the customer’s identity, but also to verify the bank’s server. This eliminates the man-in-the-middle, phishing, or duplicate site problems. Once the verification is completed, the bank’s server allows the user to log into his/her bank account. This certificate exchange and handshake happens between the public key and private key that is stored in the biometric device and the server stack. This process is done through PKI methodology. PKI using Elliptic curve cryptography uses signature to verify authenticity but rely on secure network layer (HTTPS) for encryption. Use of HTTPS in public network (over proxies) provides adequate opportunity for man-in-the middle attacks. In the present invention, in addition to network layer HTTPS encryption, TLS1.3 is adopted at the application layer to encrypt messages.

[0046] The disclosed IAM solution supports Server-end fingerprint validation. Though the sensor does not give out any fingerprint information, a Global Unique ID (GUID) for every fingerprint enrolled is stored in the server. During authentication, the ID of the finger used is sent to the server. This is validated at the server end to determine if it is a valid GUID issued by the server for this device.

[0047] The customer initiates a transaction process once the registered device is authorized, during the transaction the customer is asked to authorize his/her identity. This process happens by matching the fingerprint data which is stored in the device and validating the unique ID of the registered device which is stored in the server stack. Once the authentication is successful the user is allowed to finish the transaction process. As the disclosed solution restricts servers with which device can communicate, the device maintains a list of authorized relying parties and public key for each of the RP. As no username/password is ever sent to a server, ‘phishing’ attacks are eliminated.

[0048] Should the user desire to carry out the same process as described above, without the hardware token, the user may use the disclosed ‘Soft-token’ component. In this scenario, the user’s mobile phone device, containing the soft-token authenticator application would facilitate the user authentication with the inbuilt biometric sensor on the mobile phone. The application would also leverage PKI to exchange keys with the bank server to establish bi-directional trust.

[0049] The present invention provides for a dynamically adjustable adaptive authentication mechanism. Through use of AI/ML models applied to incoming stream of user data, the present invention is used to step up or down the level of authentication that should be applied. Attributes such as user’s host IP address used in the past and current session, use of malicious/blacklisted IP, current & history of locations (latitude/ longitude), ISP, Browser, OS, presence of malware etc are monitored on a continuous basis and re-authentication at a different level is requested when anomaly is suspected. Behavioural data such as keypad dynamics, mouse movement, form filling patterns, sensor inputs (gyroscope…) are monitored to detect suspicious activity. When hacker like patterns are detected, the present invention enforces reauthentication to ensure the solution remains robust not only during login & transaction authorisation but throughout the user session.
,CLAIMS:1. A biometric system to provide a robust device credentials provisioning system with multiple layers of security aspects consisting of:
a device specific identification number ‘ChipId’ (100) set during the device manufacturing phase;
unique ID used towards device identification and authorisation during the whole product life cycle;
a database built within the system framework to track, monitor and store device credentials in a secured manner;
a biometric sensor module and crypto controller module are paired during the process;
crypto controller verifies that the sensor connected to it has the same serial number as the one it was paired with during ‘Provisioning’; and
a server which processes information received after validating that the secure controller and biometric sensor sending the message are paired correctly.
2. The biometric system to provide a robust device credentials provisioning system with multiple layers of security aspects as claimed in claim 1 wherein the said system authorizes ‘issuers’ who can communicate with the server or edge device wherein the ‘Issuer’ is a partner who issues commands to the server or edge devices; the said server stack and edge devices (101) provide both public and private interface (102).

3. The biometric system to provide a robust device credentials provisioning system with multiple layers of security aspects as claimed in claim 1 wherein the said system is provided with a facility by which authorized issuers are defined for server environment and set inside an edge device.

4. A biometric method to provide a robust device credentials provisioning with multiple layers of security aspects comprising the steps of:
a. a Global Unique ID (GUID) for every fingerprint enrolled is stored in server;
b. during authentication, which fingerprint was used is sent to the server;
c. validating at the server end to determine if it is a valid GUID issued by the server for this device.
d. bidirectional communication request/ response;
e. server-side rules allow / disallow actions based on fingerprint type;
f. monitoring on a continuous basis and re-authentication at a different level is requested when anomaly is suspected; and
g. enforcing reauthentication to ensure the solution remains robust not only during login and transaction authorisation but throughout the user session.