This invention relates to biometric authentication, particularly to systems and methods for biometric authentication of individuals involved in transactions employing the World Wide Web.
Broadly described, the World Wide Web (the "Web") is a decentralized, electronic database service offering a universe of dynamically connected information, the information being in any of various media and being relatively easily found by and made accessible to individuals exploring ("surfing") that universe ("Webspace"). More specifically, the Web is a distributed, hypertext system comprising hypermedia documents, Web servers and Web clients. Web clients include software programs commonly known as browsers. Browsers typically reside on an individual's personal computer and, among other things, provide for exploring the Web so as to find and access Web documents.
Web serve s are software programs that support various features, including being compatible with one or more standard protocols, e.g., the HyperText Transport Protocol ("HTTP"), the well-known, native protocol of the Web generally unifying its information. Web servers put hypermedia documents on the Web and otherwise make resources associated with the server available to Web clients. Web servers not only make documents and resources accessible to Web clients, but also direct specific documents to clients and complete transactions responsive to each client's input. Web servers, being decentralized but interconnected, give the Web its distributed characteristic.
Web documents ("pages") are constructed in conformity with one of various accepted formats or languages, e.g., HyperText Markup Language ("HTML"). The formats support, among other things, the Web's hypermedia and hypertext characteristics. As to the hypermedia characteristic, Web documents can, and generally do, combine content from one or more of the various media including text, graphics, audio and video. As to the hypertext characteristic, Web documents can, and generally do, contain electronic links to related Web documents. Selecting the link causes the browser to (i) connect to a Web server associated with that link, (ii) request the linked document and (iii) if the Web client satisfies the server's security requirements, receive and display the document.
However described, the Web has had rapid acceptance and growth. The Web's growth is reflected by the number of Web servers going into service in a few years ago: in June 1993, 130 public servers; in November 1994, almost 9,000 public servers; in February, 1995, over 27,000 public servers. The number of servers currently is much greater still. The Web's acceptance is reflected by its application across institutions, whether government, corporate, commercial, education, civic or otherwise. Its acceptance and growth positions the Web to transform the way people create, access, and use information which, in turn, positions the Web to transform the institutions themselves.
The security of Web information and transactions has been identified as a significant problem. At the center of the problem are so-called crackers: individuals who seek to access computers, such as Web servers, so as to conduct pranks, vandalism, espionage or other illegitimate activities. Web security responds to these activities and, among other things, strives to maintain the confidentiality and integrity of information, both as resident on servers and as communicated in Web transactions. Increasing the vulnerability to crackers is that the Web is an open system available to anyone in possession of readily available, affordable technology.
One important Web security issue is authentication. While authentication takes various forms, authentication of individuals is particularly desirable. This authentication is directed to verifying that the individual seeking access to and/or through a Web server is in fact who that individual claims to be, and not an impersonator. This authentication relies on verification being performed at or above a predetermined minimum level of confidence. At the same time, authentication is generally an early hurdle that the individual must clear to conduct Web transactions with the server (typically the individual is subject to other security measures mediating access to system information, services and other resources).
The traditional method for authenticating individuals has relied on secret passwords. Password-only authentication has the benefit that it can be implemented entirely in software. However, password-only authentication has a number of disadvantages. First, passwords can be cumbersome. For example, a password's viability is enhanced, among other ways, by increasing its length, by controlling its composition and by its being frequently changed. However, using these techniques to enhance password viability tends to render the password increasingly cumbersome.
Second, passwords can be forgotten, lost, stolen or otherwise compromised. Password's that are written down are readily stolen. Passwords can be inadvertently disclosed to crackers via various ploys, including by crackers observing the password's entry on a keyboard. Passwords can also be illegitimately discovered by, for example, brute-force trial and error. Moreover, passwords can be intercepted as they are transported from the Web client to the desired server. Passwords can also be compromised by a cracker gaining access to a server's file of registered passwords which files generally are maintained to verify submitted passwords.
At least for these reasons, password-only authentication fails to provide adequate security. At the same time, Web-based applications are flooding into areas that can benefit from enhanced security. Examples of such Web-based applications include: commercial transactions (e.g., the purchase and sale of goods), banking transactions (e.g., electronic funds transfer), and medical transactions (e.g., provision of medical records in emergency situations).
Accordingly, a need exists for improved Web-based security measures, and methods to implement such measures. Moreover, a need exists for improved Web-based authentication systems and methods.