US20070280510A1

Movatterモバイル変換

Info

Publication number: US20070280510A1
Application number: US11/739,028
Authority: US
Inventors: Kelly Owen; Paul Howell
Original assignee: EncryptaKey Inc
Current assignee: EncryptaKey Inc
Priority date: 2006-04-24
Filing date: 2007-04-23
Publication date: 2007-12-06
Also published as: US20070257104A1; US7780080B2; US20070257105A1; WO2007127188A3; US20070280509A1; CA2650662A1; EP2016545A2; US20080016005A1; AU2007243473A1; WO2007127188A2; US20070282754A1

Abstract

A portable, biometrically-secured device for facilitating various different types of in-person and online transactions. For example, the portable, biometrically-secured device can be used to safely perform in-person financial transactions, such as credit card transactions, in which the user's identity is biometrically authenticated. The portable, biometrically-secured device can also be used for performing biometrically-secured online transactions. For example, the portable, biometrically-secured device can be used to create a secure platform from which to make the online transactions by loading a secure operating system from the device to a host computer's volatile memory. Biometrically-secured online transactions can then be performed using the host computer. In one embodiment, the portable, biometrically-secured device facilitates online financial transactions that can be performed without transmitting a user's financial information to the online merchant.

Description

RELATED APPLICATIONS

This application claims priority to the following U.S. provisional patent applications, each of which is hereby incorporated herein by reference in their entirety to be considered part of this specification: U.S. Provisional Patent Application No. 60/745,514, filed Apr. 24, 2006, and entitled “INVISIDESK PRIVATE COMMUNICATION, AUTHENTICATION AND CONNECTION PORTAL”; and U.S. Provisional Patent Application No. 60/859,168, filed Nov. 15, 2006, and entitled “SYSTEMS AND METHODS FOR PERFORMING SECURE ONLINE CREDIT CARD TRANSACTIONS.”

The present application is also related to the following applications filed on even date herewith, each of which is hereby incorporated herein by reference in its entirety:

- U.S. patent application Ser. No. ______, entitled “PORTABLE DEVICE AND METHODS FOR PERFORMING SECURE TRANSACTIONS” (Attorney Docket FUTO.005A);
- U.S. patent application Ser. No. ______, entitled “SYSTEMS AND METHODS FOR PERFORMING SECURE ONLINE TRANSACTIONS” (Attorney Docket FUTO.006A);
- U.S. patent application Ser. No. ______, entitled “SYSTEMS AND METHODS FOR PERFORMING SECURE IN-PERSON TRANSACTIONS” (Attorney Docket FUTO.007A);
- U.S. patent application Ser. No. ______, entitled “SYSTEMS AND METHODS FOR ESTABLISHING A SECURE COMPUTING ENVIRONMENT FOR PERFORMING ONLINE TRANSACTIONS” (Attorney Docket FUTO.009A); and
- U.S. patent application Ser. No. ______, entitled “SYSTEMS AND METHODS FOR STORING DATA TO A HANDHELD DEVICE” (Attorney Docket FUTO.010A).

BACKGROUND OF THE INVENTION

1. Field of the Invention

Embodiments of the invention generally relate to systems and methods for performing biometrically-secured transactions, including biometrically-secured communications and financial transactions.

2. Description of the Related Art

Due to the prevalence of financial fraud, identity theft, and related schemes, it has become increasingly difficult to safely and securely participate in certain online and in-person transactions. A user typically engages in online transactions using a host computer connected to the internet. However, in many cases the host computer contains malware, such as viruses, worms, spyware, key-logger programs, etc., which endangers the privacy of transactions performed using the host computer.

Even if the host computer is properly secured against such malware, many types of online transactions, such as online credit card purchases, currently require the user to divulge private information to online merchants. For example, when making an online purchase, a purchaser typically pays using a credit card. Not only are these transactions subject to fraud since there are few protections in place to ensure that the purchase is being made by an authorized party, but even in the case where the purchaser is an authorized user of the card, he typically must submit his credit card information to the online merchant. Often the purchaser will make purchases from several different online merchants, thus leading to the widespread dissemination of the purchaser's credit card information. Such widespread dissemination increases the probability that the purchaser's private information will be compromised due, for example, to a breach in the online merchant's computer system security. Moreover, the act of transmitting private information to the merchant creates the danger that the information could be intercepted by unauthorized parties over the internet.

In-person credit card transactions are also subject to security problems, such as fraud. As is the case with online credit card transactions, the transaction may be completed by an unauthorized possessor of the card. More recently, credit cards that include Radio Frequency Identification (RFID) tags have been made available. These credit cards can be used to complete touch-less in-person transactions that do not require the user to swipe his card past a magnetic reader or hand over the card to a cashier. Instead, the credit card information contained in the RFID tag on the card can be transmitted wirelessly when the card is brought in proximity to an RFID tag reader. While this type of credit card increases the convenience of the transaction, it also opens the possibility that a user's credit card information could be surreptitiously read by unauthorized RFID tag readers which may come in proximity to the card.

In addition to the problems described herein with respect to financial transactions, other types of transactions are also subject to concerns related to fraud and identify theft. For example, electronic person-to-person communications, such as email, chat rooms, instant messaging, and others, are also subject to fraud and identity theft. These communications are typically only secured, if at all, with a password. Thus, electronic communications can be accessed by unauthorized parties who are able to gain access to the intended recipient's communication account via a stolen password or some other method.

The problems described herein are not limited solely to financial transactions and electronic communications. A user's privacy, security, and identity can be jeopardized during tasks and activities that millions of people perform every day, whether in-person or remotely via their computers. Cumulatively, these acts of fraud cost society enormous sums of money.

SUMMARY OF THE INVENTION

In view of the foregoing, a need exists for devices, systems, and methods for facilitating in-person and online transactions in a safe and secure manner.

Embodiments of a handheld device for facilitating various different types of in-person and online transactions are disclosed herein. For example, the handheld device can comprise a portable, biometrically-secured device used to safely perform in-person financial transactions, such as credit card transactions, in which the user's identity is biometrically authenticated.

In certain embodiments, the portable, biometrically-secured device can also be used for performing biometrically-secured online transactions. For example, the portable, biometrically-secured device can be used to create a secure platform from which to make the online transactions by loading a secure operating system from the device to a host computer's volatile memory. Biometrically-secured online transactions can then be performed using the host computer. In some cases, the online transactions are performed via private computer network connections. The online transactions can include financial transactions and inter-personal electronic communications, for example.

In some embodiments a portable device is disclosed for facilitating secure transactions. The portable device comprises: an interface configured to couple to a host computer; a biometric sensor configured to receive identification information from a user; a memory configured to store transaction information and instructions for execution by the host computer; and a processor coupled to the memory and the biometric sensor, the processor being configured to authenticate the identification information and, upon authentication of the identification information, to cause the portable device to communicate the instructions to a volatile memory of the host computer to independently control operations of the host computer, the instructions being configured to use the transaction information during the performance of a transaction with a second computer coupled via a network to the host computer.

In some embodiments a method is disclosed for performing a secure transaction. The method comprises: establishing communication between a host computer and a handheld device; receiving with the handheld device biometric information from a user; determining whether the biometric information corresponds to an approved biometric signature; loading operating system instructions from the handheld device to a volatile memory of the host computer when the biometric information corresponds to the approved biometric signature; and performing an online transaction with a second computer communicatively coupled via a network to the host computer while the host computer is operating under the control of the operating system instructions loaded from the handheld device.

In some embodiments a portable device is disclosed for facilitating secure transactions. The portable device comprises: means for communicating with a host computer; means for storing transaction information and operating system instructions for execution on the host computer; means for receiving biometric information from a user; means for authenticating the biometric information and for loading the operating system instructions from said means for storing to the host computer upon said authentication; and means for performing a transaction with a second computer communicatively coupled to the host computer via a network while the host computer is operating under the control of the operating system instructions loaded from said means for storing.

In some embodiments a system is disclosed for performing secure online financial transactions. The system comprises: a portable device comprising a biometric sensor configured to receive user identification information, a memory configured to store user financial information, and a processor coupled to the memory and the biometric sensor, the processor being configured to authenticate the user identification information; a host computer coupled to the portable device; and a transaction server in communication with the host computer and a merchant module via a network, the transaction server being configured to receive user purchase information from the merchant module, the user purchase information being indicative of a user-selected item for purchase, receive the user financial information via the host computer after the user identification information is successfully authenticated, and transmit the user purchase information and the user financial information to a financial processor module for confirmation of sufficient funds related to the user financial information.

In some embodiments a method is disclosed for performing an online financial transaction. The method comprises: receiving, with a transaction module, purchase information from a merchant over a network, the purchase information being indicative of user input as to a desired purchase; receiving biometric information from a user; authenticating the biometric information; receiving, with the transaction module, user financial information over the network after said authentication; and transmitting with the transaction module the user financial information and the purchase information to a financial processor.

In some embodiments a system is disclosed for performing secure online financial transactions. The system comprises: means for receiving purchase information via a network from a merchant, the purchase information being sent by the merchant in response to user input as to a desired purchase; means for receiving user biometric information; means for authenticating the biometric information; means for receiving user financial information over the network upon successful authentication of the biometric information; and means for transmitting the user financial information and the purchase information to a financial processor.

In some embodiments a handheld device is disclosed for facilitating secure transactions. The handheld device comprises: rewritable radio frequency identification (RFID) circuitry; a biometric sensor configured to receive user identification information; a memory configured to store transaction information; a processor coupled to the memory and the biometric sensor, the processor being configured to authenticate the user identification information and to temporarily write the transaction information to the rewritable RFID circuitry upon authentication of the user identification information, the transaction information being readable from the RFID circuitry by an external reader.

In some embodiments a method is disclosed for performing a secure transaction. The method comprises: receiving biometric information from a user; determining whether the biometric information corresponds to a stored biometric signature; writing transaction information to a rewritable radio frequency identification (RFID) tag when the biometric information corresponds to the stored biometric signature; transmitting the transaction information; and removing the transaction information from the rewritable RFID tag after transmitting the transaction information.

In some embodiments a portable device is disclosed for facilitating secure transactions. The portable device comprises: means for receiving biometric information from a user; means for determining whether the biometric information corresponds to a selected biometric signature; means for temporarily writing transaction information to a reconfigurable radio frequency identification (RFID) tag when the biometric information corresponds to the selected biometric signature; and means for removing the transaction information from the RFID tag after the transaction information has been queried by a reader.

In some embodiments a system is disclosed for performing secure electronic person-to-person communications. The system comprises: a handheld device comprising an interface configured to couple to a host computer, a biometric sensor configured to receive biometric information from a user, a memory configured to store operating system instructions for execution by the host computer, and a processor coupled to the memory and the biometric sensor, the processor being configured to load the operating system instructions to the host computer for controlling the operation thereof; and a server coupled to the host computer via a network, the server configured to receive an electronic message from a remote computer, the electronic message including identification information of an intended recipient, receive the biometric information from the handheld device via the host computer, compare the biometric information of the user with the identification information of the intended recipient to determine if the user is the intended recipient, and grant the user access to the electronic message after a determination that the user is the intended recipient.

In some embodiments a method is disclosed for performing secure electronic person-to-person communications. The method comprises: receiving an electronic message via a network, the electronic message being associated with an identification of an intended recipient; receiving, from a host computer coupled to the network, a request by a user to access the electronic message; receiving through a portable device coupled to the host computer biometric information of the user; electronically authenticating the biometric information to determine whether the user is the intended recipient; and granting the user access to the electronic message after said authentication.

In some embodiments a system is disclosed for performing secure network communication. The system comprises: means for receiving an electronic message via a network, the electronic message being associated with an identification of an intended recipient; means for receiving, from a host computer coupled to the network, a request by a user to access the electronic message; means for receiving biometric information of the user, said means for receiving biometric information being coupled to the host computer; means for electronically authenticating the biometric information to determine whether the user is the intended recipient; and means granting the user access to the electronic message after said authentication.

In some embodiments a system is disclosed for establishing a secure computing environment for performing online transactions. The system comprises: a host computer; and a handheld device comprising an interface configured to couple to the host computer, a biometric sensor configured to receive user identification information, operating system instructions for execution by the host computer during the performance of one or more secure online transactions, a memory configured to store the operating system instructions, and a processor in communication with the memory and the biometric sensor, the processor configured to authenticate the user identification information and to communicate the operating system instructions to the host computer after authentication of the user identification information in order to perform the one or more secure online transactions.

In some embodiments a method is disclosed for establishing a secure computing platform from which to perform transactions. The method comprises: establishing a connection between a handheld device and a host computer, the host computer having a first operating system; receiving biometric information with the portable device; authenticating the biometric information; loading operating system instructions from the handheld device to the host computer after said authenticating, wherein said loading causes the host computer to execute the operating system instructions in place of the first operating system during the performance of one or more network transactions.

In some embodiments a handheld device is disclosed for facilitating secure transactions. The portable device comprises: means for communicating with a host computer having a first operating system; means for storing operating system instructions; means for receiving biometric information from a user; means for determining whether the biometric information corresponds to a selected biometric signature; and means for loading the operating system instructions to a volatile memory of the host computer when the biometric information corresponds to the selected biometric signature, the operating system instructions being configured to independently control the host computer during the performance of an online transaction so as to prevent the host computer from loading the first operating system and from accessing non-volatile memory of the host computer.

In some embodiments a system is disclosed for storing data on a handheld device. The system comprises: a handheld device comprising an interface configured to couple to a host computer, a biometric sensor configured to receive biometric information from a user, a memory configured to store operating system instructions for execution by the host computer, and a processor coupled to the memory and the biometric sensor, the processor being configured to load the operating system instructions to the host computer for controlling the operation thereof; one or more storage devices configured to store user data; and a server coupled to the host computer via a network, the server configured to receive the biometric information from the handheld device via the host computer, the host computer operating under the control of the operating system instructions, authenticate the biometric information, and access and transmit the user data to the handheld device upon authentication of the biometric information.

In some embodiments a method is disclosed for storing data on a handheld device. The method comprises: receiving biometric information of a user over a network from a host computer in communication with the first handheld device, the host computer operating under the control of operating system instructions loaded to the host computer from the first handheld device; authenticating the biometric information; and transmitting user data over the network to the first handheld device via the host computer if the biometric information is successfully authenticated.

In some embodiments a system is disclosed for storing data on a handheld device. The system comprises: means for receiving biometric information over a network from a host computer in communication with the first handheld device, the host computer operating under the control of operating system instructions loaded to the host computer from the first handheld device; means for authenticating the biometric information; and means for transmitting user data over the network to the first handheld device via the host computer if the biometric information is successfully authenticated.

For purposes of summarizing the disclosure, certain aspects, advantages and novel features of the inventions have been described herein. It is to be understood that not necessarily all such advantages may be achieved in accordance with any particular embodiment of the invention. Thus, the invention may be embodied or carried out in a manner that achieves or optimizes one advantage or group of advantages as taught herein without necessarily achieving other advantages as may be taught or suggested herein.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a portable biometrically-secured device for facilitating biometrically-secured in-person and/or online transactions, according to certain embodiments of the invention;

FIG. 2 is a top perspective view of one embodiment of the portable biometrically-secured device ofFIG. 1;

FIG. 3 is a flowchart illustrating one embodiment of an identity authentication procedure that is supported, at least in part, by the biometrically-secured device ofFIG. 1;

FIG. 4 is a flowchart illustrating the usage of the portable biometrically-secured device ofFIG. 1 during in-person transactions, according to certain embodiments of the invention;

FIG. 5 is a flowchart illustrating the usage of the portable biometrically-secured device ofFIG. 1 during in-person transactions, according to certain embodiments of the invention;

FIG. 6 is a flowchart illustrating the usage of the portable biometrically-secured device ofFIG. 1 during certain online transactions, according to certain embodiments of the invention;

FIG. 7 is a dataflow chart of communications between the biometrically-secured device ofFIG. 1, a host computer, a secure internet portal, and the internet, according to certain embodiments of the invention;

FIG. 8 is a flowchart illustrating one embodiment of a method for establishing a secure platform from which to perform online transactions by using the biometrically-secured device ofFIG. 1 to load a secure operating system onto a host computer;

FIG. 9 is a block diagram of various functional modules offered by a secure internet portal, according to certain embodiments of the invention;

FIG. 10 is a dataflow chart of communications between the biometrically-secured device ofFIG. 1, a host computer, a secure internet portal, an online merchant, and a financial process/clearing house during an online financial transaction according to one embodiment;

FIG. 11 is a flowchart illustrating one embodiment of a method for performing an online financial transaction using the biometrically-secured device ofFIG. 1;

FIG. 12 is a flowchart illustrating one embodiment of a method for performing electronic communications using the biometrically-secured device ofFIG. 1;

FIG. 13 is a dataflow chart of communications between the biometrically-secured device ofFIG. 1, a host computer, a secure internet portal, and a remote computer;

FIG. 14 is a flowchart illustrating one embodiment of a method for connecting to a remote computer using the biometrically-secured device ofFIG. 1; and

FIG. 15 is a flowchart illustrating one embodiment of a method for registering and restoring information to the biometrically-secured device ofFIG. 1.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

Devices, systems, and methods for performing biometrically-secured in-person and online transactions using a biometrically-secured device are disclosed. Various types of transactions are supported, including financial transactions as well as electronic person-to-person communications, such as sending and receiving emails. Other supported transactions include the transmission of entry codes for buildings or vehicles, for example, and the act of accessing electronic files from a remote computer or data storage device.

In certain embodiments, the biometrically-secured device is a portable device similar in appearance to a flash drive (e.g., a “jump drive” or a “thumb drive”). In some embodiments, the portable device includes a biometric sensor for performing biometric identity authentication of a user. Once the identity of a user has been biometrically authenticated, embodiments of the device can be used to complete a transaction involving a party whose identity is a desirable factor in the success or completion of the transaction.

For example, if a user wishes to make a purchase (e.g., an in-person credit card purchase), the device may require the user to biometrically authenticate his identity, after which the device will facilitate the completion of the purchase by, for example, using financial information stored within the device. The biometrically-secured device can also be used to require a user to biometrically authenticate his identity before facilitating many other types of transactions, as described herein.

In the case of some online transactions, the portable, biometrically-secured device interfaces with a host computer (e.g., via a USB port) to create a secure computing platform from which to perform online transactions. For example, the device can be used to boot a host computer with a secure operating system stored on the device that helps to diminish the probability that the user's private information that is exchanged during an online transaction will be compromised. The secure operating system enhances the security of online transactions performed using the host computer by helping to protect a user's private information against malware or other security threats that may exist on the host computer and that would otherwise endanger the security of transactions performed using the host computer.

In some embodiments, the secure operating system helps protect a user's private information against malware by not accessing the host computer's hard disk drive (HDD), which is typically the source of such malware. For example, the secure operating system can be loaded to the host computer's volatile, or temporary, memory (e.g., RAM) from the portable biometrically-secured device. Once loaded, the secure operating system can operate within the host computer's volatile memory, substantially without accessing data from, or storing data to, the computer's non-volatile memory, such as the HDD. Since the secure operating system does not substantially access the HDD, many, if not all, of the security threats from malware stored on the HDD are foregone. For example, if a key-logger program capable of monitoring a user's keystrokes and transmitting them to an unauthorized party were to be installed on the host computer, the secure operating can substantially disable the key-logger program by not accessing the HDD where it resides, thus not allowing it the opportunity to execute.

In some embodiments, the data needed to complete an online transaction is stored in the portable, biometrically-secured device itself without relying on the host computer's HDD. Moreover, data resulting from the online transaction is stored to the portable device rather than to the host computer. After each usage, the computer's volatile memory can be erased without leaving the types of trace information that may still remain in non-volatile memory even after the information is deleted or otherwise “erased.” This process has the benefit of allowing for the completion of online transactions without leaving information associated with the transactions that have been performed under the operation of the secure operating system on the host computer.

In some embodiments, the secure operating system causes the host computer to create a private connection (e.g., an encrypted Virtual Private Network (VPN) connection) to a secure internet portal. In one embodiment, the secure internet portal is a computer server that facilitates various transactions described herein and can act as a conduit for communications between the host computer and various other remote computers. For instance, in certain embodiments, the portal comprises an ORACLE server, an EXCHANGE server, or the like. In certain embodiments, the portal comprises a plurality of servers.

Online transactions such as purchases from online merchants, accessing messages or files, combinations of the same, or the like can then be facilitated via the secure internet portal. For example, the secure internet portal can host biometrically-secured electronic communications services, such as email, chat rooms, voice messaging (e.g., Voice Over IP (VOIP) telephone calls), instant or real-time messaging, combinations of the same, or the like, as well as facilitating access to electronic files on remote computers.

The secure internet portal can also facilitate financial transactions with online merchants without requiring the exchange of confidential financial information between a purchaser and the merchant, thus avoiding the widespread dissemination of the purchaser's financial information along with the dangers that accompany such dissemination. In the case of each of these transactions, the device can be used to biometrically authenticate the identity of one or more parties involved in the transaction, thus decreasing the possibility of a fraudulent transaction.

In addition to the online transactions facilitated by the portable device, it can also facilitate in-person transactions. For example, the portable device can include an active or passive transmitter, such as an RFID tag to send, whether wirelessly or not, transaction information to another device, such as a point-of-sale terminal or an RFID tag reader. In some embodiments, the RFID tag is rewritable so that it can be programmed for use in many different types of transactions.

For example, the rewritable RFID tag can be programmed for use in a credit card transaction, a debit card transaction, or other similar financial transaction. It can also be programmed to transmit an access code to a door lock on a building or vehicle. Other uses are also possible. Regardless of the particular transaction, once the rewritable RFID tag has transmitted transaction information to an RFID tag reader, the rewritable RFID tag can be erased so that a user's private information cannot be queried by an unauthorized RFID tag reader. In the case of any of these transactions, the portable device's biometric reader can be used to authenticate a user's identity before facilitating the desired in-person transaction.

The features of the devices, systems, and methods will now be described with reference to the drawings summarized above. Throughout the drawings, reference numbers are re-used to indicate correspondence between referenced elements. The drawings, associated descriptions, and specific implementation are provided to illustrate embodiments of the invention and not to limit the scope of the disclosure.

In addition, methods and functions described herein are not limited to any particular sequence, and the steps or states relating thereto can be performed in other sequences that are appropriate. For example, described blocks or states may be performed in an order other than that specifically disclosed, or multiple blocks or states may be combined in a single block or state.

The term “transaction” as used herein is a broad term and is used in its ordinary sense and includes, without limitation, the sending and/or receiving of information, whether online or in-person. Such information can include, for example, financial information, access code information, inter-personal communications, remotely stored data, combinations of the same, and the like.

FIG. 1 is a block diagram of a portable biometrically-secureddevice10 for facilitating biometrically-secured in-person and/or online transactions, according to certain embodiments of the invention. Certain embodiments of thedevice10 are similar in appearance to flash drives of the sort that provide portable electronic data storage. As illustrated, the biometrically-secureddevice10 includes aninterface24 for communicatively coupling thedevice10 to a host computer (not shown). In certain embodiments, theinterface24 comprises a USB interface, though other types of interfaces are also suitable, whether wired or wireless. For example, FIREWIRE, BLUETOOTH, Wi-Fi, and Wireless USB interfaces, combinations of the same, or the like are also suitable.

Thedevice10 can also include adisplay28 for communicating textual or graphical information to a user and auser input device26. In one embodiment, thedisplay28 is an organic light-emitting diode (OLED) display. In other embodiments, thedisplay28 can be a liquid crystal display (LCD) or any other suitable type of display. In one embodiment, the user-input device26 is a scroll wheel. In other embodiments, keyboards, touch-screens, pointing devices, and the like can also be used. Thedevice10 also includes abattery20 and power controller/batter charger22 which power thedevice10 when it is not coupled to an external power source. In one embodiment, thebattery20 is charged via a USB interface when thedevice20 is coupled to a computer, though a separate power adapter unit, for example, can also be used.

Some embodiments of thedevice10 also include awireless communications module14. In certain embodiments, thewireless communications module14 advantageously includes RFID circuitry16 (e.g., an RFID tag) and/or aBLUETOOTH transceiver18. As described herein, theRFID tag16 can be used during in-person transactions to wirelessly transmit information to an RFID tag reader in response to an interrogation signal from the RFID tag reader. These transactions may include, for example, touch-less credit card transactions, keyless entry into an office or other private space, or keyless ignition of an automobile or other vehicle. TheRFID tag16 can also be used to perform any other wireless transaction known in the art.

In certain embodiments, theRFID tag16 can be a passive RFID tag or an active RFID tag. Moreover, in some embodiments, theRFID tag16 is a rewritable RFID tag. Therewritable RFID tag16 is writable so that it can be programmed by aprocessor32 to adhere to several of the different communication standards (e.g., ISO standards) that are known and used in the art for different purposes.

Thewireless communications module14 can also include a BLUETOOTH, or similar-type,transceiver18. As described herein, theBLUETOOTH transceiver18 can be used to communicatively couple a user's BLUETOOTH enabled telephone or headset to thedevice10 to allow for biometrically-secured telephone conversations (e.g., VOIP telephone conversations). TheBLUETOOTH transceiver18 can also be used to biometrically secure any other function known in the art for BLUETOOTH-enabled or similar-type devices. In addition, the wireless communications module also includes one ormore antennas12. The RFID tag antenna may be a directional antenna to reduce the probability that a communication between theRFID tag16 and an RFID tag reader will be intercepted by a third party.

As shown, the biometrically-secureddevice10 includes theprocessor32. In certain embodiments, theprocessor32 has a 32-bit word size, though other word sizes are also acceptable. Theprocessor32 can be configured to control certain operations of thedevice10. For example, theprocessor32 can control the interface (e.g., USB interface)24 with a host computer (not shown). It can program therewritable RFID tag16 to adhere to different communication standards. Theprocessor32 can control access to

memory modules

34 and36. Theprocessor32 can also perform other functions as desired, including encryption of information transferred between the biometrically-secureddevice10 and other external devices, or between the various components of the biometrically-secureddevice10.

The biometrically-secureddevice10 generally includes one or more memory modules. In certain embodiments, thedevice10 includes at least two physically

separate memory modules

34,36 that are biometrically-secured so that access to the

memory modules

34,36 is at least partially restricted based on whether a user has biometrically authenticated his identity. As illustrated inFIG. 1, thememory module34 comprises a read-only memory module34. Many different types of read-only memory can be used, including an electrically erasable programmable read-only memory (EEPROM) module. In some embodiments, thememory module34 is not a read-only memory module but is nonetheless write-protected. For example, thememory module34 may be write-protected by configuring it so that it cannot be written to without a user first having authenticated his identity, as described herein.

In some embodiments, the read-only memory module34 stores the computer code for asecure operating system35. Thesecure operating system35 comprises computer-readable instructions for controlling a host computer. In certain embodiments, thesecure operating system35 can be advantageously loaded from thedevice10 into the volatile memory (e.g., RAM memory) of a host computer communicatively coupled to thedevice10 through theinterface24. Thesecure operating system35 generally includes enough basic functionality to operate the host computer, communicate with I/O devices attached to the host computer, and to initiate a private network connection with a secure internet portal, as described herein. For example, thesecure operating system35 can include a filing system, a graphical user interface, a process management module, a memory management module, a networking management module, I/O controllers, peripheral device drivers, a VPN connection utility, a firewall module, a virus scanner module, security probes, a web browser module, various types of file editing software (e.g., word processing software, spreadsheet software, multimedia playback/editing software), combinations of the same or the like.

In some embodiments, thesecure operating system35 operates solely from the host computer's RAM memory and the one or

more memory modules

34 and36 of the biometrically-secureddevice10, thus circumventing the host computer's non-volatile storage memory (e.g., the host computer's HDD). For example, once thesecure operating system35 is loaded, the host computer's HDD can be partially disabled or, in some cases, completely disabled. In some embodiments, the host computer's HDD is powered down while the host computer is under the control of thesecure operating system35 or otherwise placed in a state where the internal disks of the HDD do not rotate such that no information can be read from or written to the HDD while the host computer is under the control of thesecure operating system35.

Thesecure operating system35 is configured to control operation of the host computer independently from the host computer's native operating system. For instance, theoperating system35 can advantageously include a limited number of basic device drivers usable for certain peripherals of the host computer (e.g., display, keyboard, mouse) and/or cause the host computer to operate in a type of “safe mode.” In other embodiments, theoperating system35 functions in combination with the host computer's native operating system and/or a limited number of device drivers stored on non-volatile memory of the host computer.

In certain embodiments, any malware, such as spyware, viruses, key-logger programs, or other malicious software that may exist in the host computer's non-volatile storage memory is, thus, rendered non-functional while the host computer is under the control of thesecure operating system35. Furthermore, the fact that thememory module34, which stores thesecure operating system35, is read-only or otherwise write-protected makes thesecure operating system35 resistant to malware threats, since malicious software cannot be saved to the read-only memory module, or otherwise incorporated into thesecure operating system35.

In summary, because thesecure operating system35 in some embodiments does not store information to or retrieve information from the host computer's non-volatile memory, thedevice10 provides for several advantages. First, since thedevice10 loads its ownsecure operating system35, the user need not worry about the security of the operating system already loaded onto the host computer while performing private online transactions. Moreover, the probability that malware, such as spyware, stored on the host computer's HDD will monitor or otherwise compromise the privacy of online transactions performed using the host computer is reduced because thesecure operating system35 does not access the host computer's HDD. Second, since substantially no data is stored to the host computer from thedevice10, there are few, if any, traces of financial or other private information that are left behind on the host computer once thedevice10 is removed. Moreover, any private information stored in the host computer's volatile memory can be irretrievably erased by command from thesecure operating system35 or by cycling the power supply to the volatile memory. Third, since no data is stored to thedevice10 from the host computer, the probability that malware may be transferred from the computer to the device is reduced.

In some embodiments, the biometrically-secureddevice10 also includes a second read/writable (R/W)memory module36. The R/W memory module36 can also be biometrically-secured so that its accessibility can be based, at least in part, on whether a user has successfully biometrically authenticated his identity. As illustrated, the R/W memory module36 further includes anapplication memory module38 that stores information that interacts with the other components of the biometrically-secureddevice10.

For example, theapplication memory module38 can store information from one or more of a user's credit cards, financial accounts, building door access codes, vehicle lock and ignition system codes, combinations of the same, or the like. This data can be written to therewritable RFID tag18, as described herein. The R/W memory module36 also includes auser data module40 that stores any type of electronic information that a user wishes to biometrically secure. This may include text documents and multimedia files, for example. In other embodiments, the R/W memory module36 may function with or without theapplication memory module38 and/or theuser data module40. In certain embodiments, the user downloads information to theapplication memory module38 through a host computer coupled thereto.

In some embodiments, the R/W memory module36 also contains a configuration utility which allows a user to select one of several options when thedevice10 is communicatively coupled to a host computer. For example, in certain embodiments, the user can select to perform a transaction, in which case the configuration utility causes thedevice10 to load thesecure operating system35, for example, by performing a re-boot of the host computer.

The user may also choose to configure network settings that will allow the device to create a private connection to a secure internet portal, as described more fully herein. This may entail configuring an IP address, a subnet, or a Wired Equivalent Privacy (WEP) key, for example. In some embodiments, the configuration utility attempts to gather this information from the host computer directly, but it may ask a user to manually input the information as well.

In addition, the user may choose to transfer computer files between the host computer and the R/W memory module36. In some embodiments, such files are scanned for security breaches before being stored to the R/W memory module36. For example, the files can be scanned for viruses, other malware, or the like. If a threat is detected, the user can be alerted and questioned as to whether or not to proceed. Finally, in certain embodiments, the user may select to configure the host computer to accept private incoming connections from the secure internet portal or some other remote computer, as described herein.

The biometrically-secureddevice10 also includes abiometric sensor30 to biometrically authenticate the identity of a user. In one embodiment, thebiometric sensor30 is a fingerprint reader. In other embodiments, thebiometric sensor30 can be a retinal or iris scanner, a voice recognition unit, a face recognition unit, a hand geometry recognition unit, combinations of the same, or other like biometric sensors. As described herein, the biometrically-secureddevice10 can be initially registered with unique biometric identifying information of a user. Thereafter, the biometrically-secureddevice10 can advantageously deny the completion of certain in-person and online transactions unless the user successfully biometrically authenticates his identity with thebiometric sensor30.

Thebiometric sensor30 can be coupled to other components of the biometrically-secureddevice10, such as theprocessor32 or the

memory modules

34,36 via anelectrical bus42 in order to control the operation of one or more such components. For example, one or more components of the biometrically-secureddevice10 may be configured to require a user to successfully biometrically authenticate his identity before becoming operative. In one embodiment, the biometrically-secureddevice10 is configured so that one or both of the memory modules are inaccessible without a user first biometrically authenticating his identity via thebiometric sensor30. Thus, the memory modules can be biometrically-secured.

Once a user's biometric information is successfully authenticated, or the user's identity is otherwise authenticated, the biometrically-secured components of thedevice10 may remain operative for the duration of a session. The session may have a pre-determined length or can end after a pre-determined period of inactivity. In other embodiments, a session may consist of the completion of a single transaction, and/or the user may manually end the session. Other session lengths and types are also possible and will be apparent to those of ordinary skill in the art from the disclosure herein.

Although thedevice10 has been described with respect to particular embodiments, other arrangements of thedevice10 may be used. For instance, thedevice10 may function without all the components depicted inFIG. 1. For example, theportable device10 may exclude theBLUETOOTH transceiver18 or thedisplay28. In other embodiments, theportable device10 can include additional components, such as additional memory modules, input devices, communication interfaces, and the like. In some embodiments, components of theportable device10 can be interconnected without the use of theelectrical bus42 illustrated inFIG. 1. For example, one or more of the components of thedevice10 can have a dedicated connection to theprocessor32.

FIG. 2 illustrates one embodiment of the portable biometrically-secured device ofFIG. 1. As shown, the components of the biometrically-secureddevice10 can be assembled into ahousing42. Thehousing42 shown inFIG. 2 provides for an aesthetically pleasing design of thedevice10. Also shown inFIG. 2 are thedisplay28, the interface24 (USB port) and aninput device26, such as a scroll wheel. In some embodiments, thehousing42 includes tamper-proof features. For example, in some embodiments thehousing42 is filled with a high-strength, heat-resistant epoxy at the time of manufacture. The epoxy is allowed to cure and encases the components of theportable device10 so that later attempts to access the components through the hardened epoxy will likely result in their destruction. In other embodiments, one or more pockets of uncured epoxy are provided inside thehousing42 such that attempts to open thehousing42 and/or to access the components inside thehousing42 cause the release of the epoxy and disable vital components of thedevice10.

An epoxy can be chosen that has a higher melting point than vital components of thedevice10 so that attempts to heat thehousing42 in an effort to weaken the strength of the epoxy will first result in the destruction of the vital components. WhileFIG. 2 illustrates the biometrically-secureddevice10 as a USB-type key, in other embodiments thedevice10 can be a cell phone, a PDA, a laptop computer, combinations of the same, or the like.

FIG. 3 is a flowchart illustrating oneidentity authentication procedure300 that is supported, at least in part, by the biometrically-secureddevice10 ofFIG. 1. For exemplary purposes, theauthentication procedure300 will now be described with reference to components of the biometrically-secureddevice10 ofFIG. 1.

As shown, theauthentication procedure300 begins with an authentication request from a user atblock310. For example, the authentication request could comprise a request by the user to perform a transaction or to activate theportable device10. The authentication request could also come from a remote device, such as the secure internet portal described herein, during a log-in procedure to that device. Atblock320, the portable biometrically-secureddevice10 performs a biometric scan of, for example, the user's fingerprint.

Atdecision block330, the biometrically-secureddevice10 determines whether the biometric input information sensed by thebiometric sensor30 corresponds to the biometric information that was initially registered to the device10 (e.g., whether a fingerprint entered by a user matches a fingerprint previously registered to the device10). If thedevice10 determines that there is a match, an additional level of security can be added by requiring the user to enter a username and password atblock340. In some embodiments, the username and password are required to access a secure internet portal, or other remote computer, as described herein.

If thedevice10 determines that the username and password are correct, atdecision block350, yet another layer of security can be added atblock360. For example, at block360 a user is prompted and/or required to select one of several different images and/or patterns that are displayed. For instance, the user may be given the choice of images, one of which is the “correct” image by virtue of having been pre-selected by the owner of thedevice10 during a registration process that is described herein. Of course, the more images that are displayed, the greater the corresponding security enhancement will be. In one embodiment, three or more images are displayed. In another embodiment, twenty or more images are displayed.

If the user selects the correct image, then the user's identity can be deemed to have been satisfactorily authenticated atblock380. If, however, any of the three tests is failed, then the device may instruct the user to try again and/or or lock the user out of the device, as shown atblock390. The lock-out may, for example, last for some predetermined length of time, or until the device is unlocked via a re-registration process.

Theauthentication procedure300 illustrated inFIG. 3 is merely exemplary of one embodiment. In other embodiments, theauthentication procedure300 may omit one or more of the tests (e.g., biometric scan, username/password, and image selection) illustrated inFIG. 3, or may add additional tests. In other embodiments, certain blocks of theauthentication procedure300 may be performed in a different sequence and/or concurrently. One or more of the blocks may also be performed by the secure internet portal and/or other remote computers, as described herein.

In certain embodiments, different levels of authentication can be defined for different situations. For example, an authentication level1 may consist of a successful biometric scan. This level of authentication requires the user to have something (e.g., the device10) and to be something (e.g., the registered owner of the device10). An authentication level2 may consist of a successful biometric scan and image selection. This authentication level requires the user to have something, be something, and know something (e.g., the correct image). An authentication level3 may consist of a successful biometric scan, image selection, and username/password entry. This authentication procedure requires the user to have something, be something, and know several items of information, including the username and password. These authentication procedures can be performed entirely by the portable biometrically-secureddevice10 or in combination with some additional device, such as the secure internet portal described herein.

FIG. 4 is a flowchart illustrating the general usage of the portable biometrically-secured device ofFIG. 1 during in-person transactions, according to certain embodiments of the invention. For exemplary purposes, the in-person transaction process400 will be described with reference to components of the biometrically-secureddevice10 ofFIG. 1.

Atblock410, a user identifies an in-person transaction that he wishes to make. Atblock420, the user authenticates his identity, such as, for instance, through theauthentication procedure300 ofFIG. 3. A level1 authentication can be required such that the user must biometrically authenticate his identity using the device'sbiometric sensor30. In other embodiments, a level2 or level3 authentication procedure can be required.

Atdecision block430, the biometrically-secureddevice10 determines whether the authentication procedure was successful (e.g., whether the biometric input information sensed by thesensor30 corresponds to the biometric information registered to the device10). If the user is successfully authenticated as the owner of thedevice10, then the biometrically-secureddevice10 facilitates the completion of the in-person transaction atblock440. If the authentication fails, then thedevice10 denies the in-person transaction atblock450.

As described herein, the in-person transaction may be a financial transaction, such as a credit card payment at the establishment of a brick and mortar merchant. The transaction can also be the act of obtaining access to a building. Still other possible transactions include the act of obtaining access to a vehicle and/or starting the ignition system of the vehicle. Many other in-person transactions are also possible and will be recognized by those of skill in the art.

FIG. 5 is a flowchart illustrating the usage of the portable biometrically-secured device ofFIG. 1 during in-person transactions according to one embodiment. Atblock510 of the in-person transaction process500, the user activates the portable biometrically-secureddevice10, for example, by scanning in his fingerprint. Atdecision block520, the user selects an in-person transaction type from a series of choices shown on thedevice display28. The user can scroll through the list and select to make a credit card transaction, a building access transaction, or a vehicle access/ignition transaction.

If the user selects a credit card transaction, atblock535, thedevice display28 shows the user a list of credit cards for which the user has previously entered the corresponding information, such as the cardholder's name, billing address, expiration date, security code, combinations of the same, or like information. Those of skill in the art will recognize that other payment options (e.g., debit cards) can also be used in similar ways. In certain embodiments, the available credit card information is advantageously shown on thedisplay28, for example, in textual format or as actual images of each credit card.

Alternatively, at decision block520 a user may select a building access transaction. If a building access transaction is selected, at block540 the user selects the particular building, room, office, dwelling, or the like, that he wishes to enter and for which he has previously entered the corresponding access code into thedevice10. The user may also select a vehicle access/ignition transaction, in which case the user selects the desired vehicle to unlock or start at block550.

In certain embodiments, regardless of the type of transaction which the user has selected inblocks520 through550, once the selection is complete, the user authenticates his identity atblock560. In some embodiments, this authentication step is a level2 authentication, though other levels can also be used. Assuming that the authentication is successfully completed, atblock570 the device proceeds to write the necessary transaction information to therewritable RFID tag16. In some embodiments, theprocessor32 writes the necessary transaction information from the R/W memory module36 to therewritable RFID tag16.

In the case of a credit card transaction, in certain embodiments, the user's credit card information is written to theRFID tag16 where it is formatted and transmitted according to the standards (e.g., ISO standards) known and used in the art. In certain embodiments, since therewritable RFID tag16 is appropriately formatted, no additions or modifications to existing payment infrastructure, such as point-of-sale terminals, etc., are required. Similarly, in the cases of building access and vehicle access/ignition transactions, the applicable information and codes are written, for example, from the biometrically-secured applicationdata memory module38 to therewritable RFID tag16 according to the applicable transmission and formatting standards conventionally used for those types of transactions.

Atblock580, therewritable RFID tag16 is queried and read by an RFID tag reader. Once the rewritable RFID tag is queried, or interrogated, theprocessor32 erases therewritable RFID tag16 to reduce the possibility that thetag16 may be queried and read by an unauthorized third party. In some embodiments, the act of erasing the rewritable RFID tag consists of writing random data or other “garbage” data, to theRFID tag16. In some embodiments, therewritable RFID tag16 is erased in response to having been interrogated by an RFID tag reader.

In some embodiments, therewritable RFID tag16 is erased by the processor32 a pre-determined amount of time after the transaction information has been written to the rewritable RFID tag. For example, the processor can erase the transaction information from therewritable RFID tag16 approximately one microsecond or less, one millisecond or less, one second or less, or five seconds or less after the transaction information has been written to it.

In some embodiments, the length of time that the transaction information is stored in therewritable RFID tag18 is chosen based on the standard query time of an RFID tag/reader pair according to an ISO standard being used for a selected transaction. For example, the query time for different transactions may vary depending upon the amount of data transmitted and the data rate of the transmission. In these embodiments, the length of time that the transaction information is stored in therewritable RFID tag18 can be selected so as to allow an RFID tag reader just sufficient time to query therewritable RFID tag18. In other embodiments, theprocessor32 may detect when theRFID tag18 has been interrogated and erase theRFID tag18 shortly thereafter. Moreover, in some embodiments, the user can manually cause theprocessor32 to erase the rewritable RFID tag.

FIG. 6 is a flowchart generally illustrating the usage of the portable biometrically-secured device ofFIG. 1 during online transactions. In particular,FIG. 6 illustrates an exemplary embodiment of anonline transaction process600. Atblock610, a user secures a host computer by using the portable biometrically-secureddevice10 to load thesecure operating system35 into the host computer's volatile memory.

Atblock620, the user establishes a private computer network connection (e.g., a VPN connection) with an online transaction partner. The transaction partner can be, for example, an online merchant, a repository of electronic files (e.g., the user's home computer when he is away, a corporate server, etc.), or a communication partner (e.g., an email recipient's mail server, a text messaging partner, a sender or recipient of a VOIP call, etc.). The private connection can be formed directly with the transaction partner or via a secure internet portal, as described herein. In some embodiments, the entire online transaction is completed through the private connection. In other embodiments, only a portion of the transaction is completed through the private connection.

Atblock630, the user identifies the particular online transaction that he wishes to perform with the transaction partner. For example, the user may select a transaction option presented to him by a graphical user interface (GUI) of the secure internet portal described herein. In some situations, the user can navigate to the web page of an online merchant and select a purchase to complete. In addition, the user can select a person with whom he wishes to communicate or a remote computer with which he wishes to connect.

Atblock640, the user authenticates his identity. The authentication procedure can be completed using only the portable, biometrically-secureddevice10, or using thedevice10 in combination with a secure internet portal or some other remote device. For example, the user may enter his biometric information with thebiometric sensor30 on thedevice10, and then transmit a username and password to a secure internet portal or to the transaction partner.

In some embodiments, thedevice10 is used to transmit information that is derived from the user's biometric signature to a remote device, such as the secure internet portal or transaction partner, so that the remote device can make an independent determination as to whether the user's biometric signature matches one that has been previously registered to theportable device10. This can be done, for example, using an asymmetric cryptographic method described herein.

Atdecision block650, theportable device10, or a combination of theportable device10 and one or more remote devices, such as a secure internet portal and/or transaction partner, determines whether the authentication procedure has been successfully completed. If the user successfully completes the authentication procedure, then the online transaction is allowed to be completed. Once the transaction is completed, thesecure operating system35 that was loaded onto the host computer can be shut down, and the host computer's volatile memory can be erased to substantially reduce, if not eliminate, traces of the transaction on the host computer. If the authentication step fails, however, the online transaction is denied atblock680.

FIG. 7 is a dataflow chart of communications between the biometrically-secureddevice10, ahost computer50, asecure internet portal70, and theinternet80, according to certain embodiments of the invention. Various firewalls (not shown) may also be included between the components of theonline transaction system700. For example, a firewall may be included between thehost computer50 and thesecure internet portal70. As disclosed herein, in certain embodiments, the portable biometrically-secureddevice10 advantageously communicates with ahost computer50 through asuitable interface24. In one embodiment, theinterface24 is a USB port. Through this port, thedevice10 andhost computer50 exchange information such as instructions for thesecure operating system35, financial information, as well as various kinds of transaction information received by thehost computer50 from remote devices.

Thehost computer50 can communicate with thesecure internet portal70 through aprivate connection60. In one embodiment, theprivate connection60 is an encrypted VPN connection, though other alternatives may also suitable. TheVPN connection60 can be set up and configured according to any method known or developed in the art. In certain embodiments, the level of encryption can be chosen based on the available bandwidth between thehost computer50 and thesecure internet portal70. For example, DES Level I, II, or III encryption can be used depending upon the available bandwidth of the connection.

In some embodiments, the VPN connection is formatted in such a way that once it is activated, no remote computer is able to connect to thehost computer50 outside of theVPN connection60. In certain embodiments, theVPN connection60 can also switch between a plurality of modes, as well as switch between different levels of encryption to reduce the probability that theVPN connection60 can be cracked or piggybacked. TheVPN connection60 can also be configured to request a new server authentication certificate at random intervals to further enhance the security of the connection.

In certain embodiments, thesecure internet portal70 is a general purpose server computer, or cluster of server computers (e.g., a database server, a web server, an email server, or the like), that is configured to receive incoming private connections from users of the portable, biometrically-secureddevice10 and programmed with several functional modules described herein. For example, the functional modules can present and facilitate various online transactions to the user. These can include inter-personal electronic communications, online purchases, connections to remote computers, and combinations of the same or the like. Thesecure internet portal70 can also communicate with theinternet80 at large and act as a conduit for information flow between the portable biometrically-secureddevice10, thehost computer50, and theinternet80. Thesecure internet portal70 can also act as a conduit for information flow between theportable device10 and a remote computer or network.

FIG. 8 is a flowchart illustrating one embodiment of aboot loader method800 for establishing a secure platform from which to perform online transactions by using the biometrically-secureddevice10 to load asecure operating system35 onto ahost computer50. In some embodiments, theboot loader method800 is used to restart thehost computer50 with the pre-loadedsecure operating system35 from the read-only memory module34 of theportable device10. This helps reduce the probability that hacking and/or malware will affect thehost computer50 because theportable device10 loads thesecure operating system35 into the host computer's volatile memory and then dismounts the host computer's HDD. As this process executes, the following messages can be displayed to the user: 1) boot process started; 2) detecting the peripheral devices available in thehost computer50; 3) checking driver availability; 4) checking boot loader; 5) executing grub; and 6) re-starting host computer.

Atblock810, a user starts ahost computer50 and normally boots the native operating system installed on thehost computer50. Atblock820, the user inserts the biometrically-secureddevice10 into a USB port of thehost computer820. In some embodiments, the interface between the biometrically-secureddevice10 and the host computer is not a USB port, and in those embodiments communication between thedevice10 and thehost computer50 can be established according to thespecific interface24 chosen. Atblock830, thedevice10 instructs the user to authenticate his identity. In some embodiments, this is a level1 authentication procedure, though others can also be used.

In one embodiment, if the authentication step is successfully completed, the configuration utility allows the user to select any one of several options. For example, the configuration utility can allow the user to cause thedevice10 to load thesecure operating system35 by performing a re-boot of thehost computer50. The user may also choose to configure network settings that will allow the device to create a private connection to thesecure internet portal70, transfer computer files from thehost computer50 to/from the R/W memory module36, or configure thehost computer50 to accept private incoming connections from the secure internet portal or some other remote computer.

If the user chooses to load thesecure operating system35, theprocessor32 may first determine whether any additional device drivers, not already stored on theportable device10, are needed for thesecure operating system35 to control thehost computer50 and/or any attached devices, such as keyboards, pointing devices, graphics cards, etc. This can be done, for example, by detecting the devices attached to thehost computer50. If device drivers are needed, theprocessor32 instructs thehost computer50 to download the drivers over the internet from, for example, a driver server module of thesecure internet portal70.

If a particular driver is not available from the secure operating system, theportable device10 can determine the severity of the impact on thehost computer50 of not having the driver. If the degree of severity is low, then the boot process will be executed. If the unavailable drivers have a high degree of severity, then a request for the drivers to be made available by thesecure internet portal70 can be made and the user can be instructed to try again later. In other embodiments, thehost computer50 may load drivers to theportable device10 from a compact disk (CD) or other like medium. Once peripheral device drivers are loaded to theportable device10, they may be stored for future use or discarded after the session with thehost computer50 has ended.

Once the appropriate drivers have been downloaded to the portable biometrically-secureddevice10 for usage with thesecure operating system35, it instructs thehost computer50 to restart atblock840. The user can be given the choice of whether to boot into thesecure operating system35 or into the native operating system of thehost computer50. If the user selects thesecure operating system35, theportable device10 boots thesecure operating system35 atblock850. In other embodiments, the host computer's BIOS can be configured to detect a connection from theportable device10 and boot directly from thedevice10, so that it is unnecessary to start and boot thehost computer50 normally first.

In some embodiments, the boot process is achieved by creating a boot loader. For example, a boot loader function can be called. Execution of the boot loader function calls a primary boot loader and then calls a secondary boot loader. The boot loader loads itself into memory in the following stages: 1) the primary boot loader is read into memory from, for example, the master boot record by the host computer's BIOS; 2) the secondary boot loader is read into memory from theportable device10. The secondary boot loader finds the HDD of thehost computer50 and selects the desired kernel or operating system to boot. 3) Once the boot loader determines which operating system to start, it loads the operating system into memory and transfers control of the machine to that operating system (e.g., the secure operating system35). If thesecure operating system35 is loaded, the HDD of thehost computer50 is dismounted during the boot process and no further interaction with the hard drive takes place. 4) A Log file can be created to store the step-by-step process involved in the boot process. The purpose of log file is to maintain the status of the boot process. The log file can be stored on theportable device10.

As described herein, in some embodiments, thesecure operating system35 operates in the host computer's volatile memory, generally without reading data from, or storing data to, the host computer's non-volatile memory, such as its HDD. Thus, after the user is finished completing the desired transactions, substantially no personal or private information is left on thehost computer50.

Atblock860, thehost computer50 determines the available bandwidth of a connection between thehost computer50 and thesecure internet portal70, and selects an appropriate level of encryption for the connection. Atblock870, thehost computer50 initiates a privateencrypted VPN connection60 with thesecure internet portal70, the settings and configuration of which can be determined using the configuration utility described herein. Once theprivate connection60 with thesecure internet portal70 has been established, thesecure internet portal70 initiates an authentication procedure.

In some embodiments, thesecure internet portal70 initiates a level3 authentication procedure, requiring the user to scan his biometric information, enter a username and password, and make an image selection. As described herein, information derived from the user's biometric signature that is scanned by thebiometric sensor30 can be sent to thesecure internet portal70 for independent authentication by thesecure internet portal70 of the user's biometric signature. If the authentication process is successfully completed atblock880, the secure internet portal can advantageously display the user's homepage, which contains links to various functional modules.

FIG. 9 is a block diagram900 of various functional modules offered by the secure internet portal. In certain embodiments, once connected to thesecure internet portal70, a user can select from transactions offered by the various functional modules. For example, thesecure internet portal70 may include one or more of the following functional modules depicted inFIG. 9: a personalfinancial information module910; ashopping module915; acommunications module920, including anemail module925, anonline chat module930, aVOIP module935, and an onlinediscussion groups module940; afinancial services module945; amedical information module950, agovernment information module960; aconnection manager module970; and a file manager module980.

In certain embodiments, the user accesses the functional modules provided by thesecure internet portal70 via a graphical user interface provided by thesecure internet portal70. For example, thesecure internet portal70 can download web pages to thehost computer50 with clickable links to invoke the various functional modules. Some embodiments only include a subset of the illustrated functional modules, while other can include functional modules not illustrated.

Theshopping module915 allows a user to make biometrically-secured online purchases without transmitting his payment information to the online merchant. In some situations, these purchases involve communications between one or more remotely located devices.

A dataflow chart of these communications is shown inFIG. 10. In particular,FIG. 10 illustrates an exemplary embodiment of afinancial transaction system1000 having communications between the biometrically-secureddevice10, thehost computer50, thesecure internet portal70, anonline merchant90, and a financial processor/clearing house100 during an online financial transaction. As shown, the portable biometrically-secureddevice10 is communicatively coupled to thehost computer50 that is in turn communicatively coupled to thesecure internet portal70 via a private connection such as theencrypted VPN connection60.

In the depicted embodiment, thesecure internet portal70 includes atransaction server module75. In some embodiments, a user communicates with theonline merchant90 via thesecure internet portal70 which communicates with theonline merchant90 via the internet at large with, for example, secure sockets layer (SSL) encryption. In other embodiments, thesecure internet portal70 may communicate with theonline merchant90 via a VPN connection or dedicated communication lines. The user can also communicate directly with theonline merchant90 via theinternet80, such as, for example, via an unsecured connection. As is further illustrated, theonline merchant90 further includes atransaction agent95. Thesecure internet portal70 also includes a connection to the financial processor/clearing house100. In certain embodiments, the connection between thesecure internet portal70 and the financial processor/clearing house100 is a private connection, such as one or more dedicated lines (e.g., ADSL/T1+lines) or other such private transmission channel.

An online purchase will now be described with reference toFIG. 11, which is a flowchart illustrating one embodiment of an onlinefinancial transaction process1100. For exemplary purposes, the onlinefinancial transaction process1100 will be described with reference to thefinancial transaction system1000 ofFIG. 10.

Atblock1110, a user navigates, for example, via thesecure internet portal70, to the online merchant90 (e.g., Amazon, Buy.com, Circuit City) over theinternet80. For example, the user may utilize a web browser to access a website of theonline merchant90. Atblock1115, the user selects a product or service to purchase from the online merchant and begins a checkout process to complete the selected purchase. Thetransaction agent95 is configured to provide users of the portable, biometrically-secureddevice10 with an option during the checkout procedure to make a biometrically-secured payment via thetransaction server75. In certain embodiments, thetransaction agent95 comprises executable code running on one or more servers of theonline merchant90. In other embodiments, thetransaction agent95 can comprise a device that communicates with the computing device(s) of theonline merchant90. If the user has not already loaded thesecure operating system35 onto the host computer, the host computer may instruct the user to do so.

Atblock1120, when such a user elects to submit an order, thetransaction agent95 causes transaction information, such as an online merchant identification code, an order identification code, total purchase price, combinations of the same, or the like, to be sent to thetransaction server75 over theinternet80. Atblock1125, thetransaction agent95 also re-directs the user to thetransaction server75. For example, the user's web browser can be directed to a web page hosted by thetransaction server75 or, if the host computer has not already established a private connection with thetransaction server75, it can be instructed to do so. As illustrated inFIG. 10, the connection between the user and the transactions server is a private connection such as anencrypted VPN connection60.

Then, atblock1130, thetransaction server75 instructs the user to authenticate his identity, for example, using a level3 authentication procedure. If the authentication procedure is unsuccessful, then the transaction is denied atblock1140. In contrast, if the authentication procedure is successfully completed, the portable biometrically-secureddevice10 allows the user to select and/or transmit payment information to thetransaction server75 via theprivate connection60 to thesecure internet portal70 atblock1145. Unlike conventional, less secure online transactions, the user does not transmit his personal credit card or other payment information to theonline merchant90. In conventional online transactions, such transmissions of credit card information and the like are problematic because they pass over theunsecured internet80 rather than through a private connection.

Moreover, in conventional online transactions, each purchase from a new online merchant generally requires the user to send his credit card information to the new merchant, resulting in the widespread dissemination of his payment information and increased probability of a security breach that would jeopardize the secrecy of the information. Instead, as illustrated in more detail inFIG. 10, in thefinancial transaction system1000 the user transmits his payment information to thetransaction server75 via theprivate connection60 and not to theonline merchant90. Moreover, in some embodiments, thetransaction server75 does not store the user's payment information beyond the time necessary to complete the transaction.

Atblock1150, once thetransaction server75 has received the user's payment information from the portable biometrically-secureddevice10 as well as the transaction information (e.g., merchant identification code, order identification code, total purchase price, etc.) from theonline merchant90, then thetransaction server75 transmits the payment and transaction information to the financial processor/clearing house100. In certain embodiments, this transmission can be done in such a manner as to emulate a general online transaction payment request in the format and way that such payment requests are normally submitted from merchants to existingpayment processors100. Thus, from the point of view of thepayment processor100, the payment request appears as a typical one that it might otherwise receive directly from anonline merchant90, and little or no modifications to thepayment processor100 are necessary.

Once the payment and transaction information are received by the payment processor/clearing house100, it may in turn forward the information to the user's credit card issuer and affiliate bank to determine whether the payment request is approved. If the payment is approved by the user's credit card issuer atblock1155, the payment processor/clearing house100 transmits payment to the online merchant's bank as well as order confirmation/fund approval information to theonline merchant90, atblock1160. Theonline merchant90 then sends a sales receipt to the user's portable biometrically-secureddevice10, for example, via thetransaction server75 or directly to thedevice10. The transaction is then completed at1180. Once more, unlike conventional methods, the purchase transaction can be completed without sending theonline merchant90 personal financial information.

If, however, the user's payment is not approved by the financial processor/clearing house100, then it sends declined payment information to theonline merchant90 atblock1170. Atblock1175, theonline merchant90 then notifies the user that the purchase has been declined and the transaction is ended atblock1180.

The secure internet portal also includes a communicationsfunctional module920.FIG. 12 is a flowchart illustrating one embodiment of a method for performing electronic communications using the biometrically-secureddevice10. As shown in more detail inFIG. 9, thecommunications module920 can includeemail925, chat930, voice messaging such as VOIP935 (a user can make/receive VOIP calls with microphone and speaker coupled to the user'shost computer50, or by connecting to the portable biometrically-secured device'sBLUETOOTH transceiver18 using a BLUETOOTH enabled cell phone, for example), and/ordiscussion group940 services.

With reference toFIG. 12, aprocess1200 for performing a secure communication session is disclosed. In certain embodiments, the communicationsfunctional module920 provides for a secure communication session involving a sender and a recipient, or multiple senders and/or recipients. As shown, atblock1210 of theprocess1200, a sender initiates a communication session with a recipient-user of the portable, biometrically-secureddevice10.

When initiating the communication session, the sender can, for example, select an option that requires the recipient to authenticate his identity before gaining access to the communication session. In some embodiments, both the sender and the recipient are users of thesecure internet portal70 and each uses a portable, biometrically-secureddevice10, or other like device, to communicate with one another. However, even if the sender is not a user of the secure internet portal70 (e.g., he sends an email from an email server outside thesecure internet portal70, initiates a chat session without using thesecure internet portal70 service, etc.), the sender can be provided with the option to require the recipient of the communication to authenticate his identity before receiving the communication. In certain embodiments, the initiated communication session is in the form of an email sent to the recipient, a VOIP telephone call (or other type of voice messaging session) to the recipient, a request to chat online, a request to join an online discussion group or the like. Other types of communication sessions, such as paging, net meetings, group emails, conference calls, or the like are also possible.

Atblock1220, the recipient creates a secure computing platform from which to communicate. This can be done, for example, by using the portable biometrically-secureddevice10 to load thesecure operating system35 onto ahost computer50, as described herein. In some embodiments, the user is also required to log into and/or form a connection with thesecure internet portal70, as described herein. For example, atblock1230, the recipient authenticates his identity to thesecure internet portal70. In some embodiments, a level3 authentication process is used, but others are also suitable.

Assuming that the recipient successfully completes the authentication process, atblock1240 the recipient is granted access to the communication session initiated by the sender. For example, in one embodiment, the recipient may be granted access to an email sent to him. In another embodiment, the user may be allowed to answer an incoming VOIP call. In another embodiment, the user may be permitted to begin an online chat session or enter into a discussion group to which he has been invited. Other types of communication sessions are also possible. Since the authentication procedure includes a biometric authentication step in some embodiments, the sender can ensure that the recipient of the communication session he initiated is the intended recipient.

In some embodiments, these communications services are provided in a closed loop manner between two users of thesecure internet portal70 and portable, biometrically-secureddevices10. For example, in certain embodiments, communications between two users of thesecure internet portal70 are not transmitted outside of secure connections to and from thesecure internet portal70, thus decreasing the possibility that such communications may be intercepted by unauthorized parties. In addition, the communication services can be configured so that they are inaccessible outside of a private connection with thesecure internet portal70. For example, thecommunications module920 can be configured so that email messages, chat transcripts, or the like cannot be printed or saved outside of thesecure internet portal70.

In addition, the email service may require a user to authenticate his identity each time before viewing a saved email message. This authentication procedure can include a biometric authentication step so that even unauthorized persons who gain access to a user'shost computer50 while he is logged into thesecure internet portal70 are prevented from viewing the user's email messages or gaining access to other communication sessions intended for the user. In the case of a chat session, for example, the sender can require the recipient to re-authenticate his identity at any point during the chat according to the sender's discretion. It should be noted that in some embodiments, if the sender, or initiator of the communication session, is also a user of the portable, biometrically-secureddevice10, he too may be required to boot hishost computer50 with thesecure operating system35 and authenticate his identity in the ways described herein before being permitted to initiate the communication session.

Although theprocess1200 has been described with reference to particular embodiments, other embodiments of theprocess1200 may have more or fewer block than those depicted inFIG. 12. For instance, in certain embodiments, a user may receive an indication that a biometrically-secure communication has been sent to him or her. In certain embodiments, the indication may include less information than the entire communication, such as a header or subject line of an email message.

With reference toFIG. 9, thesecure internet portal70 also includes thefinancial services module945, themedical information module950, and thegovernment information module960. Each of these functional modules allows a user to access, create, remove, or modify his accounts, settings, profile, combinations of the same, or the like, with third parties who are affiliated with the secureinternet portal service70. For example, in certain embodiments, a user can utilize thefinancial services module945 to access his investment portfolios with affiliated brokerage firms after authenticating his identity according to the methods described herein.

Likewise, in certain embodiments, a user can utilize themedical information module950 to access private medical records, submit questions to medical providers regarding private health conditions, and/or access/change insurance coverage after authenticating his identity. The requirement that a user authenticate his identity to access these medical records may comply with certain government regulations. Similarly, in certain embodiments, thegovernment information module960 allows a user to access information from affiliated government entities upon authenticating his identity. In one embodiment, thegovernment information module960 operates as a secure online forum to allow users to vote in government elections, since the user can be required to biometrically authenticate his identity beforehand.

Thesecure internet portal70 also includes a connection managerfunctional module970. In certain embodiments, theconnection manager module970 allows users to configure and manage connections to various remote computers and services. In some embodiments, the user connections to remote computers are private, biometrically-secured, and are initiated from a secure computing platform (e.g., ahost computer50 that has been loaded with the secure operating system35). With these connections, a user can remotely access files and remotely control a computer with, for example, a remote desktop client that is included with some embodiments of thesecure operating system35.

FIG. 13 is a dataflow chart of aremote access system1300 configured to provide for communications between a user and aremote computer55. As shown, theremote access system1300 comprises the biometrically-secureddevice10, thehost computer50, thesecure internet portal70, and theremote computer55. As described herein, the portable biometrically-secureddevice10 is communicatively coupled to thehost computer50 that is in turn communicatively coupled to thesecure internet portal70 via a private connection such as theencrypted VPN connection60. In turn, thesecure internet portal70 is communicatively coupled to theremote computer55.

In certain embodiments, theremote computer55 can be the user's home computer, for example, when he is traveling away from home. Theremote computer55 can also be a file server, such as a corporate file server, or some other network-attached electronic data storage device, to name only a few examples. In some embodiments, the connection between thesecure internet portal70 and theremote computer55 is a private connection, such as anotherencrypted VPN connection65. WhileFIG. 13 illustrates thehost computer50 being communicatively coupled to theremote computer55 via the secure internet portal, in some embodiments thehost computer50 and theremote computer55 have a directprivate connection60 with one another instead of connecting via thesecure internet portal70 and two

private connections

60,65.

FIG. 14 is a flowchart illustrating one embodiment of aremote access process1400 for connecting to a remote computer, such as theremote computer55 in theremote access system1300. In certain embodiments, theremote access process1400 advantageously utilizes the biometrically-secureddevice10.

Atblock1410 of theremote access process1400, a user configures a selected remote computer (e.g., remote computer55) to accept access requests from a host computer (e.g., host computer50) that is in communication with the user's portable, biometrically-secureddevice10 when the user is away from theremote computer55. This configuration of theremote computer55 can be done, for example, at a time when the user is physically present at theremote computer55.

In certain embodiments, theremote computer55 can be configured to accept private incoming connections from thesecure internet portal70, for example, in cases where a user connects to theremote computer55 via thesecure internet portal70. In addition, theremote computer55 can be configured to accept private incoming connections directly from a particular host computer that has been appropriately configured to create a private connection to the remote computer.

In certain embodiments, configuration of theremote computer55 is completed using the configuration utility that is loaded from the user's portable, biometrically-secureddevice10 when thedevice10 is communicatively coupled to theremote computer55. Again, the user can perform the configuration operation at a point in time when he is physically present at theremote computer55, allowing him to remotely connect to thecomputer55 at a later time. As described herein, in some embodiments, the user is required to biometrically authenticate his identity to theportable device10 before the configuration utility is loaded on to theremote computer55.

In certain embodiments, once the configuration utility has loaded, the user may choose to enable theremote computer55 to be controlled via a remote desktop client included with the user's portable, biometrically-secureddevice10 and/or for file sharing (e.g., the user may select files to be shared remotely). Once the private connection (e.g., encrypted VPN connection) between theremote computer55 and, for example, thesecure internet portal70 is configured, thesecure internet portal70 can be notified so that the connection can be offered by theconnection manager module970 at a later time when the user wishes to remotely connect to theremote computer55.

After theremote computer55 has been appropriately configured, atblock1415 the user loads thesecure operating system35 onto thehost computer50, as described herein. Atblock1420, thehost computer50 creates theprivate connection60 with thesecure internet portal70, and the user logs into thesecure internet portal60. In other embodiments, thehost computer50 may create a private connection directly to theremote computer55 without connecting via thesecure internet portal70.

Atblock1425, the user accesses the connection managerfunctional module970 using, for example, a graphical user interface of thesecure internet portal70. The connection manager functional module indicates which of the user's remote connections are available for use and allows the user to select a particularremote computer55 with which he wishes to connect. Then, atblock1430, thesecure internet portal70 initiates aprivate connection65 with theremote computer55 by, for example, forming an encrypted VPN connection between the two computers. In certain embodiments, the encryption level of the connection can be scaled according to the bandwidth of the transmission channel between the two computers.

In one embodiment, theremote computer55 is configured to only accept incoming private connections that are initiated with the user's personal portable, biometrically-secureddevice10. Moreover, theremote computer55 can be configured to allow such a connection only after the user has completed a log-in process to theremote computer55. This authentication process occurs atblock1435.

In some embodiments, the log-in process includes the transmission of information derived from the user's biometric signature to theremote computer55 for independent verification of the user's identity. In this way, theremote computer55 can make an independent determination as to whether the user's biometric signature corresponds to that of a user who has previously configured theremote computer55 to accept private incoming connections. This remote biometric authentication process can be performed according to the methods described herein. In one embodiment, the authentication procedure atblock1435 is a level3 authentication procedure.

If the authentication procedure is unsuccessful, then atblock1450, theremote computer55 denies access to the user. If, however, the authentication procedure is successfully completed, then the user is granted access to theremote computer55 atblock1445. Once the user is granted access to theremote computer55, then he may use a remote desktop client included with some embodiments of thesecure operating system35 to control theremote computer55 as if he were physically present at theremote computer55.

Once a user is granted access to theremote computer55, he may also be permitted to access and modify electronic files stored by theremote computer55. In some embodiments, thesecure internet portal70 assembles links to files from a plurality ofremote computers55 so that they can be accessed and edited from a central repository, as well as being synchronized between the plurality ofremote computers55 when changes are made. In some embodiments, the user can modify files using, for example, software provided with thesecure operating system35 and running on thehost computer50, or online software, such as word processing or spreadsheet tools, offered by thesecure internet portal70. Other types of software can also be provided by thesecure operating system35 or thesecure internet portal70 to allow the user to create or modify various types of files. In some embodiments, the electronic files can be downloaded to the user's portable, biometrically-secured device for offline work. In these cases, a log can be kept of offline changes made to the files, so that once the user's portable, biometrically-secured device is connected to theremote computer55 again, the files stored in each location can be synchronized.

In the case where theremote computer55 is, for example, a corporate file server, the company can be given the ability to change permission settings that control which files on the corporate file server are accessible by the user. If at any time the company removes access privileges to a file from a user after he has stored the file on hisportable device10, then, in certain embodiments, thesecure internet portal70 can be configured to send a command to the user'sportable device10 to delete the file from the user'sdevice10 once thedevice10 is again used to establish a connection with thesecure internet portal70. This command can be issued, for example, when the user'sportable device10 contacts thesecure internet portal70 to download peripheral device drivers for use in controlling thehost computer50.

In certain embodiments, thesecure internet portal70 can include a registration and rebuild service for initially registering a user's portable, biometrically-secureddevice10 and/or for rebuilding the user's information to a new portable, biometrically-secureddevice10 if hisold device10 becomes lost, stolen, or damaged.FIG. 15 is aflowchart1500 illustrating one embodiment of a method for registering and restoring information to the biometrically-secureddevice10.

When a user first purchases a portable, biometrically-secureddevice10, as described herein, he establishes a communication connection between thedevice10 and a host computer. Theportable device10 loads asecure operating system35 onto thehost computer55 and establishes a private connection to asecure internet portal70, as shown atblock1502. In certain embodiments, each portable, biometrically-secureddevice10 includes a unique identification code which is checked by thesecure internet portal70 each time thedevice10 is used to connect to thesecure internet portal70. If the identification code is not new, atblock1585, thesecure internet portal70 initiates a login procedure, causes the user to authenticate his identity atblock1590, and displays the secure internet portal homepage atblock1595. If, however, the identification code is recognized as being new, then, atblock1505, thedevice10 is determined to be anew device10, and the process passes to block1510.

Atblock1510, thesecure internet portal70 determines whether thenew device10 is being used by a new user or by a current user. This can be done, for example, by allowing the user to so indicate at the time of the login procedure to the secure internet portal. If thenew device10 is being used by a new user, then atblock1515 thesecure internet portal70 begins a registration process for the user and the new device.

For example, the secure internet portal can direct the user to a registration page where, atblock1520, the user provides personal registration data. This data can include the user's name, a chosen username, password, and/or a selected one of a plurality of images for use in the authentication processes described herein, contact information, and combinations of the same or the like. In some embodiments, the registration data also includes information derived from the new user's unique biometric signature.

For example, a multi-part biometric key can be formed which allows the user to later authenticate his identity to the portable, biometrically-secureddevice10, thesecure internet portal70, and/or other remote computers. The biometric key can be generated by theportable device10 based upon the user's unique biometric signature, which is inputted using thebiometric sensor30. In some embodiments, the unique biometric signature comprises information indicative of one or more of the user's fingerprints.

In certain embodiments, during the registration process, one or more of the user's fingerprints are read by thesensor30 according to any method known in the art (e.g., optical imaging, capacitive and/or temperature mapping, etc.). For example, the user's fingerprint can be read and various point samples (e.g., minutia points of the fingerprint) taken and used to generate a unique identifier. In some embodiments, the unique identifier is a mathematical algorithm that can be used to re-create the information that is extracted from the user's fingerprint. The identifier can then be split into multiple parts, each part being stored in a separate location. For example, one part can be stored on the user's portable, biometrically-secureddevice10, another part can be stored at thesecure internet portal70, while other parts can be stored at other remote computers. In some embodiments, none of the parts of the unique identifier is independently capable of re-creating the information that is extracted from the user's fingerprint.

Later, after a user has registered hisportable device10, when he scans his fingerprint with thebiometric sensor30, the unique identifier is re-generated. The portion of the re-generated identifier can then be compared to the portion that is already stored in theportable device10 to determine whether the user is the owner of thedevice10. Thesecure internet portal70 can independently authenticate the user's identity in a similar manner. For example, when a user scans his fingerprint to re-generate the unique identifier, a portion of the identifier can be transmitted to thesecure internet portal70 where it can be compared against that portion of the unique identifier that has already been stored at the secure internet portal. A similar process can be performed by any other remote device where a portion of the unique identifier has been stored.

Moreover, in certain embodiments, a key generation algorithm is used to generate a private/public key pair from the user's biometric signature (e.g., fingerprint). The algorithm is designed so that the key pair is unique to the user's fingerprint and can be re-created therefrom. The private key can be stored on the user'sportable device10, while the public key is transmitted to thesecure internet portal70 and/or other remote computers. Communications from the user'sportable device10 can be encrypted using the private key and then decrypted with the public key at, for example, thesecure internet portal70. This type of asymmetric cryptographic process is yet another way by which a user's identity can be biometrically authenticated by the portable, biometrically-secureddevice10 as well as being independently authenticated by thesecure internet portal70 or any other remote computer that receives the public key.

In certain embodiments, the biometric authentication performed by the secure internet portal and/or other remote computers can be performed without the need to store or share images of the user's fingerprints. By breaking the biometric authentication algorithm into multiple parts that are each stored in separate locations, a biometric authentication procedure can be made to have redundant security points without a single point of failure.

Once the user has provided his registration information, he can also provide any desired financial information (e.g., credit card information), atblock1525. Atblock1530, some or all of the user's private information can be stored to one or more back-up file locations. For example, back-up file locations may include thesecure internet portal70 itself, a corporate server, the user's personal computer, network-attached storage devices, combinations of the same or the like.

Atblock1535, the user's private information that he has provided to thesecure internet portal70 during the registration process is added to the user's portable biometrically-secureddevice10. This can include the user's financial information, username, password, choice of security images, and/or other electronic files. Then, atblock1540, the secure internet portal initiates its log-in procedure, as described herein. Atblock1545, the user authenticates his identity, for example, according to a level3 authentication procedure. Assuming the successful completion of the authentication procedure, the secure internet portal displays the home page and the user is permitted to select one of the various transactions facilitated by the portal's functional modules (block1595).

Should the user'sportable device10 become lost, stolen, and/or damaged, in certain embodiments, he can replace theold device10 with a new one, and rebuild his private information to the new device. For example, if, atblock1510, it is determined that the newportable device10 belongs to an existing user, then the user is directed to begin a data rebuild process, beginning atblock1550.

Atblock1555, the user authenticates his identity using, for example, a level3 authentication procedure. Even though the portable, biometrically-secureddevice10 is a new one, the biometric sensor can be used to regenerate the user's unique mathematical key pair so that his identity can be biometrically authenticated by thesecure internet portal70. Assuming that the authentication procedure is successfully completed, atblock1565, the secure internet portal accesses the user's back-up file locations and transfers the user's private information, including financial information, electronic files, and the like, to the user's newportable device10. Atblock1570, the secure internet portal optionally references the unique identification code of the user'sprevious device10 and adds it to a banned list. In certain embodiments, access to the secure internet portal by theold device10 can also be disabled.

In some embodiments, additional security procedures are implemented to protect the secrecy of the user's data on his old portable, biometrically-secureddevice10. For example, in certain embodiments, each time theportable device10 is communicatively coupled with ahost computer50, the unique identification code of thedevice10 is transmitted to thesecure internet portal70. After being added to the banned list, the next time that theold device10 is coupled to ahost computer50, thesecure internet portal70 can issue a “scorched earth” command to the oldportable device10, causing theprocessor32 to erase the device's memory modules and/or otherwise disable theold device10. Thus, despite the fact that the private information stored on the user'sold device10 is protected from being accessed by unauthorized individuals with the biometric authentication procedures and tamper-resistant features described herein, the scored earth command can add an additional degree of security in the case of loss or theft.

Once the user's personal information has been added to the user's new portable, biometrically-secured device, atblock1575, thesecure internet portal70 initiates its login procedure. At block1580, the user authenticates his identity, for example, using a level3 authentication procedure. Then atblock1595, thesecure internet portal70 displays the home page, as discussed herein.

The foregoing disclosure has oftentimes partitioned devices and system into multiple modules (e.g., components, computers, servers) for ease of explanation. It is to be understood, however, that one or more modules may operate as a single unit. Conversely, a single module may comprise one or more subcomponents that are distributed throughout one or more locations. Further, the communication between the modules may occur in a variety of ways, such as hardware implementations (e.g., over a network, serial interface, parallel interface, or internal bus), software implementations (e.g., database, passing variables), or a combination of hardware and software.

Moreover, in certain embodiments, the systems and methods described herein can advantageously be implemented using computer software, hardware, firmware, or any combination of software, hardware, and firmware. In one embodiment, the system is implemented as a number of software modules that comprise computer executable code for performing the functions described herein. In one embodiment, the computer-executable code is executed by one or more general purpose computers. However, a skilled artisan will appreciate, in light of this disclosure, that any module that can be implemented using software to be executed on a general purpose computer can also be implemented using a different combination of hardware, software, or firmware. For example, such a module can be implemented completely in hardware using a combination of integrated circuits. Alternatively or additionally, such a module can be implemented completely or partially using specialized computers designed to perform the particular functions described herein rather than by general purpose computers.

A skilled artisan will also appreciate, in light of this disclosure, that multiple distributed computing devices can be substituted for any one computing device illustrated herein. In such distributed embodiments, the functions of the one computing device are distributed such that some functions are performed on each of the distributed computing devices.

Furthermore, it will be understood from the disclosure herein that a variety of communication media may be used between modules of embodiments of the invention. For instance, as described in more detail herein, in certain embodiments, the communications medium is the internet, which is a global network of computers. In other embodiments, the communications media may comprise other communication systems including by way of example, dedicated communication lines, telephone networks, wireless data transmission systems, two-way cable systems, customized computer networks, interactive kiosk networks, automatic teller machine networks, interactive television networks, combinations of the same, or the like.

While certain embodiments have been explicitly described, other embodiments will become apparent to those of ordinary skill in the art based on this disclosure. Therefore, the scope of the inventions is intended to be defined by reference to the claims and not simply with regard to the explicitly described embodiments. Furthermore, while some embodiments have been described in connection with the accompanying drawings, a wide variety of variation is possible. Components, and/or elements may be added, removed, or rearranged. Additionally, processing steps may be added, removed, or reordered. For example, the various user identity authentication procedures described herein can be performed at different times than is indicated in the accompanying figures.