Bank of America Corporation
Biometric Session Tokens for Secure User Authentication

Abstract:

Communications between a client and an application server can be authenticated based on biometrics information about a user. After basic client authentication by the application server, the application server queries a biometrics server that has user biometrics information. The biometrics server provides the biometrics information to the application server in the form of a hash and the application server stores it in an application database for future comparison. The application server sends an unencrypted token to the client. The client queries biometrics information from the biometrics servers, which is provided in a hash. The client uses the biometrics information to encrypt the unencrypted token received from the application server and sends the encrypted token to the application server for validation. The application server hashes the encrypted token received from the client and compares it to the hash stored in the application database. If the hashes match, the communications are authenticated. The process can be repeated for subsequent tokens until the customer logs out.