A BIOMETRIC FACE RECOGNITION BASED CONTINUOUS AUTHENTICATION AND AUTHORIZATION SYSTEM

Abstract

A method and system for continuously authenticating a user working from a remote location is provided. The method includes providing user an interface to login through his login credentials to company domain. The login credentials are authenticated by a company's remote server. Once the user is authenticated the server pushes user's secondary authentication details to user's device and invokes a secondary authentication system. The secondary authentication system may include a webcam that initiates once user is logged in and continuously monitors biometric parameters for continued authentication of the user.

Description

FIELD OF THE INVENTION

The present disclosure generally relates to authenticating a user. More specifically, the present invention relates to a continuous authentication and authorization method and system especially in work from home scenarios over the public internet network.

BACKGROUND OF THE INVENTION

With the ever increasing workloads of employees of a company, there is an increasing demand for providing access of office infrastructure to employees from anywhere and everywhere. Employees could be either travelling due to work wherein to work from their current locations, they require access to a company's network. Further, the employees could also, be stuck in some situation at home for which they may request a permission to work from their homes. Also, the employees may be visiting any other office of the company from which they would like an access to work from their own office domain. All these situations add to IT infrastructure.

To provide such access to the employees, there are various solutions that are provided by today's IT. There exists VPN access wherein the employee is required to enter his credentials in order to enter office domain and work.

However, there is a drawback in such solutions. Once the employee enters, he or she may or may not work by himself and may take others help or since the employees are outbound someone may work on their behalf instead of the employee itself. This adds to the risk of data theft since the data of the company is confidential and may have restricted access for a specific employee only. Furthermore, other available solutions include providing dedicated connection channels that add to the cost of the company expenditure.

Therefore, there exists a need for an improved method and system to authenticate, authorize and constantly validate identity of the employee accessing office infrastructure without providing any dedicated channels in above mentioned situation.

SUMMARY OF INVENTION

The invention provides a solution to the above mentioned problems. For this the invention provides a method to continuously authenticate and authorize a user over the public internet network. The method includes a user initiating a user interface to login to a remote server. The user interface requires user's credentials to be input to the user interface. Once the user inputs his/her credentials, the data is sent to the remote server for authentication. The server stores credentials of multiple users and when it receives the credentials of a user the server authenticates it. In return to this the server pushes a secondary authentication data into the device through which the user is trying to login. Also, the remote server initiates a secondary authentication device like a digital camera etc. in order to continuously monitor the user's biometric scans like facial recognition etc. through which user is authenticated continuously. The biometric scans are matched with the secondary authentication data that is pushed by the server and that is stored in memory of the device from which user is trying to login.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter that is regarded as the invention is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other aspects, features, and advantages of the invention are apparent from the following detailed description taken in conjunction with the accompanying drawings in which:

FIG. 1 illustrates a flow chart to depict a method according to an embodiment of the invention.

FIG. 2 illustrates a system according to another embodiment of the invention.

It is to be noted that the drawings presented are intended solely for the purpose of illustration and that they are, therefore, neither desired nor intended to limit the disclosure to any or all of the exact details of construction shown, except insofar as they may be deemed essential to the claimed invention.

DETAILED DESCRIPTION

A few inventive aspects of the disclosed embodiments are explained in detail below with reference to the various figures. Exemplary embodiments are described to illustrate the disclosed subject matter, not to limit its scope, which is defined by the claims. Those of ordinary skill in the art will recognize a number of equivalent variations of the various features provided in the description that follows.

Referring to FIG. 1 which illustrates a method 100 to continuously authenticate a user according to an embodiment of the invention. The method starts at step 102 by displaying a master login interface to the user who wants to connect to a company server through a network. In an embodiment of the invention, the master login interface may include fields like username password or any biometric feature dialogue box like “place your finger” etc. Hence, first level of authentication may be either simply based on credentials or may be based on user's biometric scans like fingerprint, voice print, ophthalmic images facial recognition etc.

Moving to step 104, the user follows instructions and provides his input with credentials into the fields available on the master login interface displayed to the user. The master login interface receives user's inputs and sends these credential details over the network to the company server. In an embodiment of the invention the network can be anyone of a wired, wireless, a mobile network, 3G, 4G, LTE, etc. In another embodiment of the invention, the company server stores the credential details of all the users. At step 106, after the server receives credential from the user, it checks its database to find out whether the credentials are correct.

Still referring to FIG. 1, moving to step 108, the server after checking its database decides whether the credentials of the user are correct or not. If the credentials entered are wrong the server again displays the user credentials login user interface to the user. However, if the credentials supplied are correct, the server at step 110 authenticates the user. At step 112, the user is allowed access of company's network wherein the user is connected to company server and can work. At step 114, the method 100 initiates a re-authentication program for the user. In an embodiment of the invention, the secondary security authentication can be facial recognition, or ophthalmic recognition. In order to achieve this, on first authentication, the company server invokes a program on user's device that initiates webcam of the user's device. Also, the server sends the secondary authenticated credentials to the device itself that may be stored in a memory of the user's device in order to optimize network usage. In an embodiment of the invention, the user's device can be anyone of a laptop, personal computer, mobile, a tablet computer, a personal digital assistant, etc. At step 116, the webcam initiated at step 114 of the method 100, continuously monitors and re-authenticates the user by tracking its biometric scans that may include facial recognition or ophthalmic scans etc. At step 118, the server decided whether the user is authenticated or not. If not, then at step 120 the server may either terminate the session or can log the time of session for which the user was not authenticated and save the same. However, if the user is an authenticated user, the server allows the session to continue at step 122. Logs of the user authenticated sessions may also be recorded and the log file may be either maintained within the user device or by the company server itself.

Now referring to FIG. 2, that illustrates a system 200, according to an embodiment of the invention, in order to continuously authenticate a user during an active session for e.g. in a work from home situation. The system includes a user 202 that requires an access to company's server 210. In an embodiment of the invention, the user 202 may be an outbound employee, a travelling employee, an employee on work from home facility, etc. In another embodiment of the invention, the company's server 210 stores the login credentials of all of the company's employees. The system further includes a user device 204 wherein, the user device 204 can be anyone of a laptop, a personal computer, a smartphone, a personal digital assistant, a smartwatch, or a tablet computer. The user device 204 is connected to the company's server 210 that is remotely placed through a network 208. Furthermore, the system 200 further includes a secondary authentication device 206 that is attached to the user's device 204 either wirelessly or through wires. Also, the secondary authentication device 206 may be attached to the server 210 through the network 208. In an embodiment of the invention the network 208 can be anyone of a wired, wireless, a mobile network, 3G, 4G, LTE, etc.

Still referring to FIG. 2 the user's device 204 is capable of displaying a user interface 212 pushed by the company's server 210 when the user 202 tries to access the company's server 210. The user interface 212 may either include login fields like username password or can simply prompt the user for biometric scans like ophthalmic scans using the secondary authentication device 206. When the user 202 inputs his login credentials, the login data is received by the company' server 210 over the network 208. The company's server 210 matches the data with the stored data. Once the credentials have been matched and the user credentials are identified, the user 202 is provided an access to the system. Simultaneously, the company's server 210 sends a command to the user's device 204 to invoke a security algorithm Also, the company server 210 pushes the secondary authentication data to the user device 204 itself so that it is stored in memory of the user device 204. This is done so as to efficiently use the network since continuous authentication with remotely placed server would use high bandwidth. Therefore, it is beneficial to use the locally placed device to perform this function. The security algorithm invoked, initiates the secondary authentication device 206 that is a webcam. The webcam 206 then starts a process of continued authentication of the user 202 without disrupting work of the user 202. The webcam authenticates the user 202 by capturing facial recognition or ophthalmic scans. This authentication is then checked with the data pushed by the company's server 210 to the user's device 204. If the user 202 is authenticated, the session is continued otherwise either the session is terminated or a log is maintained of the time to which the user was not authenticated.

The foregoing description and drawings comprise illustrative embodiments of the present invention. Having thus described exemplary embodiments, it should be noted by those ordinarily skilled in the art that the within disclosures are exemplary only, and that various other alternatives, adaptations, and modifications may be made within the scope of the present invention.

Although the present invention has been illustrated and described as embodied in various exemplary embodiments, it should be understood that the present invention is not limited to the details shown herein. Since it will be appreciated that several of the above-disclosed and other features and functions, or alternatives thereof, may be desirably combined into many other different systems or applications. Various embodiments modifications presently unforeseen or unanticipated alternatives, modifications, variations, or improvements therein may subsequently be made by those skilled in the art, which are also intended to be encompassed by the following claims.

Merely listing or numbering the steps of a method in a certain order does not constitute any limitation on the order of the steps of that method. Many modifications and other embodiments of the invention will come to mind to one ordinarily skilled in the art to which this invention pertains having the benefit of the teachings presented in the foregoing descriptions and the associated drawings.

The principles associated with the various embodiment defined herein may be applied to other embodiments. Therefore, in no way, the examples or the description is intended to be limited to the embodiments shown along with the accompanying drawings but is to be provided broadest scope consistent with the principles and novel and invention features describe/disclosed or suggested herein. Any modifications, equivalent substitutions, improvements etc. within the spirit and principle of the present invention shall all be included in the scope of protection of the present invention.

Claims

1. A method of continuous authentication over a public internet network comprising; receiving a user credentials for a master login interface authentication;matching the user credentials with a server of pre-stored user profiles;providing an access to work on server session on a successful match of the first user credentials;re-authenticating the user during the work on server session, wherein the re-authenticating comprises:capturing at least one biometric feature of the user; andmatching the biometric feature with a biometric profile of the user, wherein the matching of the biometric feature to authenticate the user, is completed by a local device that acquires the user's biometric profile from the database during the master login interface.

2. The method of claim 1, wherein the user credentials is at least one of a password based credential, a biometric authentication of the user.

3. The method of claim 2, wherein the biometric authentication is anyone or a combination of a fingerprint scan, ophthalmic scan, voice scan, or facial scan.

4. The method of claim 1, wherein the master login interface authentication is done by a remote database.

5. The method of claim 1, wherein the biometric profile for re-authentication is anyone of a fingerprint, ophthalmic scan, voice scan, or facial scan.

6. The method of claim 1, wherein the server initiates a local authentication capturing device after the master login interface authentication.

7. A system for continuous authentication over a public internet network comprising; a user device, wherein the user device further includes;a display to provide user interface configured to receive user's login credentials for a session; anda processor operatively connected to the display, wherein the processor is configured to encrypt and transmit the received user's login credentialsa server communicatively coupled to the user device, wherein the server is configured to store a plurality of profiles of a plurality of users and further configured to receive the user's login credentials and perform match between the received credentials with the stored plurality of profiles;a local authentication device operatively coupled to the user device and the server wherein the local authentication device is configured to initiate once the user's login credentials are authenticated and re-authenticate the user with another set of user credentials during the session received from the server on a successful initiation.

8. The system of claim 7, wherein then user device is selected form a group comprising a laptop, a tablet computer, a smartphone, a personal digital assistant, a smart watch, and a desktop.

9. The system of claim 7, wherein the display is selected from a group comprising Dot matrix LED display, Digital LED matrix display, Liquid Crystal Display (LCD), Organic LED (OLED) display, and Active Matrix organic LED (AMOLED) display.

10. The system of claim 7, wherein the user's credentials are a username password.

11. The system of claim 7, wherein another set of user credentials is selected from a group comprising a fingerprint scan, ophthalmic scan, voice scan, and a facial scan.

12. The system of claim 7, wherein the local authentication device is selected from group comprising a digital camera, fingerprint scanner, and a mic.

13. The system of claim 12, wherein the local authentication device is placed internal or external to the computing device.

14. The system of claim 7, wherein the computing device and server communicate through a communication module, the communication module being selected from a group comprising a Universal Serial Bus (USB) module, a micro USB module, a Bluetooth module, a Wi-Fi module, Zigbee module, a NearBytes module, and a Near Field Communication (NFC) module.

15. A system for performing continuous authentication of an employee in work from home situation over public internet network comprising; a user device, wherein the user device further includes;a display to provide user interface configured to receive user's login credentials for a session; anda processor operatively connected to the display, wherein the processor is configured to encrypt and transmit the received user's login credentialsa server communicatively coupled to the user device through a network, wherein the server is configured to store a plurality of profiles of a plurality of users and further configured to receive the user's login credentials and perform match between the received credentials with the stored plurality of profiles;a local authentication device operatively coupled to the user device and the server, wherein the local authentication device is configured to initiate once the user's login credentials are authenticated and re-authenticate the user with another set of user credentials during the session received from the server on a successful initiation.

16. The system of claim 15, wherein then user device is selected form a group comprising a laptop, a tablet computer, a smartphone, a personal digital assistant, a smart watch, and a desktop.

17. The system of claim 15, wherein the local authentication device is placed internal or external to the computing device.

18. The system of claim 15, wherein the server is remotely placed.

19. The system of claim 18, wherein the network is a public internet network.