Invented by Margaret Bouse, Idemia Identity and Security USA LLC
The Idemia Identity and Security USA LLC invention works as followsThe computer-implemented methods include: receiving a demand for associating an index of privileges, and permissions, with an identity token, where the first token specifically encodes the privileges, and permissions, of a subscriber who has access to transactional data from the requester. This request includes the identity token that identifies the person, and which was issued to the user by a trusted party through a vetting procedure; upon determining the validity of the token and verifying the requester
Background for System and Method for Identity Management
Transactions between consumers and providers may be susceptible to identity theft, fraud, spoofing or phishing. All of these risks could potentially hamper the flow of commerce.
In one aspect, certain implementations provide a machine-implemented method for determining a trustworthiness of a transaction request. The transaction request is submitted by a user to access data managed by the participant entity. “In one aspect, some implementations provide a computer-implemented method 1.
Implementations may include any or all of the following features. The method can include submitting a further inquiry to an authentication policy server in order to determine the scope of rights possessed by the participating entity to verify the identities of users using the transaction authentication engines; receiving a response from the authentication engine, which includes a computed valid score indicative of scope of rights of participant entity for verifying identities of users via the transaction authentication engines; based on both the computed authenticity and the computed validation score, determining whether the transaction request made by the user is trustworthy; and notifying participant entity about the
Additionally submitting the 2nd inquiry at the authentication server can include submitting a second inquiry to determine the scope of rights of the participant to use a specific identity database. Receiving the reply from the authentication engine includes receiving a reply that includes a score computed indicative of the scope for the right of the user entity.
Also, receiving a result of a query from a particular identity database according to the scope of access rights for the participant entity, where the result is a result provided by the identity databases to a query submitted at the identity databases.
Furthermore determining trustworthiness of a transaction request includes determining trustworthiness on the basis of the query results, as well as the computed authorisation score and the computed valid score.
The method can include “Still the method can further include storing received query results and the corresponding queries at the transaction authentication engines for temporary storage, and allowing future query to the particular database access to the temporarily stored query results according to the determined scope for the participant entity’s right to access that particular database.
The method can also include getting an authentication policy off the authentication server. The authentication policy governs communication between the transaction verification engine and the authentication authentication engine. It may also include configuring a communication protocol with the authentication engine. Configuring the protocol can also include configuring it according to the authentication policies purchased by the participating entity. Configuring the protocol for communication can also include configuring two protocol components: a first component to encrypt data transmitted by the transaction verification engine to the authentication confirmation engine, and a second component to decrypt data received by the authentication verification engines from the transaction verification engine.
The method includes: receiving an inquiry from an authentication verification system and a transaction authentication engine regarding a request from a user to access data that is managed by a participant entity; using the information to identify the user to construct a query for verifying the identity of the requestor; sending the query to an Identity Database in communication with the authentication confirmation engine; receiving a response from the database in answer to the query; receiving an authenticity score from the database based upon the reply; computing the authenticity score based upon the reply to quantify the
Implementations can include additional features. The method can also include gathering information identifying a user by calling a method individually embedded in the transaction request, receiving a returned value as a consequence of calling the method, and retrieving information identifying a user from the received return value. Moreover, gathering the information that identifies the user includes: encoding information about a user’s biometric. The information that identifies the user can include gathering information about the user. The information gathering may include encoding information for a user-name/password pair to access an online account. The information gathering process can include obtaining data from the identification document of a user.
The method can include configuring a communication protocol with the identity databases, where the protocol is determined by an authentication policy that governs data access rights for the participant entity in the identity database. The protocol configuration may also include configuring it for communication in accordance with the authentication policy purchased by the entity. Configuring the protocol may include configuring the first protocol component to encrypt data transmitted by the authentication verifier engine to the Identity Database; and the second protocol component to decrypt data received by the verification engine from the database.
The method can also include configuring the component fields of user data that are admitted to the identity database via a vetting procedure. The method can also include managing attributes that correspond to component fields in the identity data, and configuring access to component fields within the identity database according to protocol. Configuring the protocol to communicate with the identity databases may also include configuring a protocol for communicating with an identity database that is provided by a public entity. The government entity will administer a background check on the user prior to entering the corresponding user identity data into the database. Configuring the protocol to communicate with the identity databases may also include: configuring a protocol for communication between an identity database that is provided by a different entity than a government entity or the participant entity.
The method includes: receiving an inquiry from a Transaction Authentication Engine regarding a Participant Entity attempting to confirm the identity of a User submitting a request for a transaction at the Participant Entity; determining the authentication policy for the Participant entity to prove the identity; computing a valid score for the Participant entity based on the authentication policy; and providing the computed score to the Transaction Authentication Engine for determining the trustworthiness for the transaction request submitted by user at the participating entity.
Implementations can include the following features. The method can also include: gathering information about the participant entity based upon the received inquiry; determining the authentication policies based upon the gathered information. The method can include: based upon the received inquiry, logging the verification activities requested by participant entity; analyzing the logs of verification activities to determine usage by participant entity. The method can further include logging requests to access an ID database as part the verification activities requested.
The method can also include profiling of the log queries to determine the pattern of usage by the participant entity of the identity database. Based on the usage determined, the method can also include performing accounting in order to determine the use fee that will be charged to the participating entity for accessing an identity database. Accounting may also include measuring one or more of the following: the number of queries made by the participant to the database, the amount of data that was sent by the entity to access the database, the number of responses to those queries sent to the entity and the amount of data received by the entity. Calculating the validity score can include comparing the determined use by the participating entity with the authentication policies of the participant entities.
The method can also include an administrative interface that reports the determined usage to an administrator. In addition, the method can include providing feedback information based on determined usage to enable load-balancing for future queries submitted to the identity database. The method can also include providing an application-programming interface, through which the authentication engine extends its service to the participant entity in order for it to access other identities databases than the identity database. The method can also include providing an application program to allow another authentication policy engine access the identity databases serviced by the authentication engine.
The method includes: determining the identity and the identity of both the user and participant entity. Then, querying the database of the verified identity system based on this information.
The method can further include, when determining that a transaction request was originally sent by the user to a participant entity, and that this participant entity has not been authorized as a business partner by the user, adding the participant entity to the database of the verified identity engine.
The method can also include: if the transaction request submitted by the user is a response to the participant entity’s solicitation, the verification identity engine will query the database to determine if the participant entity has been authorized as a business partner by the user.
The method can also include alerting the user if the participant entity has not been authorized as a business partner by the user. The method can also include alerting the users that the participant is not authorized as a business partner.
The database of the verified-identity engine can be queried to determine if the participant entity is an authorized business partner to the user.
Click here to view the patent on Google Patents.