Pomcor Granted Patent on Rich Credentials

Pomcor has been granted US Patent 10,567,377, Multifactor Privacy-Enhanced Remote Identification Using a Rich Credential. Karen Lewison is the lead inventor and I am a coinventor. Pomcor has so far been granted a total of eight patents, two of which we have sold. The remaining six patents that we own are listed in the Patents page of this web site.

This latest patent is special because it provides a solution to a major societal problem: how to identify people over the Internet with strong security. Techniques are available for authenticating repeat visitors to a web site or current users of a web application. But authentication techniques are only applicable once a relationship has been established. They are not applicable when somebody wants to establish a new relationship, e.g. by becoming a new customer of a bank, or signing up with a robo advisor, or applying for a mortgage, or renting an apartment, or switching to a different car insurance.

Traditionally, customer identification at the beginning of a new relationship is performed face-to-face using one or more physical credentials that include a photo ID. Today, it may be performed remotely by asking the new customer to demonstrate knowledge of personal information, in what is sometimes called knowledge-based authentication (KBA); but KBA is vulnerable to attack by impersonators who acquire the personal information in the dark web; and it is privacy invasive, as it requires the customer to reveal personal information that may end up on the dark web.

A rich credential provides a much more secure and privacy-friendly method of remote identification to a party with whom the subject of the credential has no prior relationship. A rich credential is a cryptographic credential, which allows the subject to prove knowledge of a private key without revealing the private key; but it is also a multifactor credential that optionally provides biometric identification, e.g. by face recognition, and/or identification by means of a password. If a biometric and/or a password are used, they are verified against the credential, without having been previously registered with the verifier. Details are found in the patent and in this paper.

Rich credentials are privacy-friendly in three different ways.

First, they provide what is called selective disclosure of attributes. The credential may contain a rich set of attributes of the subject, such as name, birth date, social security number, driver license number, passport number, address, telephone number, etc. But only a subset of those attributes is disclosed when the credential is presented, as required for each particular use of the credential. This achieves the privacy principle of data minimization. The credential can be verified even though only some of the attributes are disclosed, because the signature computed by the issuer and included in the credential binds the public key associated with the subject’s private key to an omission-tolerant cryptographic checksum.

Second, they provide selective presentation of identification factors. Some uses of a rich credential may only require proof of knowledge of the private key, in which case the subject does not have to reveal the password or a biometric feature to the verifier. Other uses may require two-factor identification, with submission of the password and/or a biometric in addition to proving knowledge of the private key. Yet other uses may require three-factor authentication by something the user has (the device where the private key is stored), something the user knows (the password) and something the user is (the biometric).

Third, in the important special case where the biometric modality used in the credential is face recognition, they do not require the facial image to be stored in a database where it would be exposed to security breaches. The facial image is obtained by the certificate authority (CA) that issues the credential, or by a registration authority (RA) on behalf of the CA. It is then stored in the credential and deleted from the computing equipment used to collect the image and construct the credential.

The previous post explained how rich credentials could be a new tool for protection against criminals who apply for financial accounts with the intention to commit fraud. In that use case the CA would be a company trusted by the financial industry. It could be a company that provides fraud detection services to financial institutions, or a company that provides knowledge-based authentication today.

The security and privacy shortcomings of today’s remote identification methods are a major societal problem, which makes us vulnerable to criminals both foreign and domestic. It also makes us vulnerable to groups sponsored by hostile nation states, as successful impersonation is often the first step in a broader cyber-attack. We would like to help solve this problem by licensing or selling our rich credentials patent to any company who is willing to pioneer a more secure and private method of remote identification.

Leave a Reply

Your email address will not be published. Required fields are marked *