Use case example: Authentication for accessing a concert¶
Here it is described a complete use case of the das-FaceQR technology in combination with other Veridas digital authentication products. The example presents a concert ticket sales process and an authentication process in the event entrance.
Tickets sale¶
Someone decides to go to a concert. To do that, a ticket has to be bought. The chosen channel to buy it is the tickets sale webpage so it will be done remotely. During the buying process, certain personal information is requested to the client, like its name, surnames, etc. as well as its banking information. Veridas does not take part in any of these processes.
Once these forms are completed and submitted, the tickets sale webpage uses the Veridas selfie-alive SDK and requests the user to do a selfie photo. This SDK requests the user to do an action to continue the process, using the action to verify that the person is alive. Currently, the requested action is to smile.
After the capturing process is completed, the service provider can apply, optionally, the Veridas anti-spoofing detection services to determine that the captured selfie photo is not a photo of a screen (not available for web capture technology) and to check that the selfie photo and the smiling photo corresponds to the same person. This functionality requires the use of the das-Face API.
Finally, the service provided calls the das-FaceQR API with the selfie photo captured by the user. Moreover, the localization and the concert date are included as contextual data, as well as the access door and the seat assigned to the user. With this information, das-FaceQR generates a biometric QR.
The previous image represents an example of version 23 and M redundancy QR, which is adequate for storing the biometric information and the contextual data associated to the concert.
The user receives an email confirming that the purchase process has ended (the flow related to the payment process is obvious in the description) and that the ticket is available. The user has two options, print the entry with the biometric QR or save it in its wallet.
Access to the concert¶
The concert’s day, the user goes to the place where it takes place.
On the day of the concert, the user goes to the facilities where it takes place. A biometric door is installed in the access control. This door must contain the following elements.
- A camera for capturing the user image.
- A QR code reader, although they can optionally be read through an image processing software from the previous camera.
The user approaches the camera and shows his biometric QR to the reader. The displayed QR can be represented on the paper entry or on the wallet of the user's mobile device. In this way, the authentication process begins with something that the user is (his face) in combination with something that the user has (his physical or digital biometric QR).
In any case, the software installed on the door sends the facial image captured with the biometric door camera and the biometric QR to das-FaceQR to verify that the user has the right to access (it is obvious at this point if das-FaceQR is installed on-premises or is served from the cloud).
das-FaceQR receives the above information. First, it checks the integrity of the information obtained by signing the biometric QR, to ensure that there is no alteration on the biometric QR. If the integrity of the information can be assured, das-FaceQR decrypts the biometric vector. Following this process, das-FaceQR sends das-Face the registration biometric vector and the recently captured image at the concert access door. das-Face reads the biometric model version that has to be used for the biometric comparison and executes the corresponding comparison. Finally, a similarity value and the contextual data read is returned to the service provider.
The service provider then executes business logic. For example, it checks the contextual data information regarding the concert date and the gateway. If they are correct, it goes on to check the business logic based on the biometrics score. For example, if the comparison score obtained by das-FaceQR is greater than 90%, it authorizes the user access.
Finally, after the authorization, the access door opens and the user accesses the concert facility.
FAQs¶
The ticket buyer illegally resells its ticket. Can the illegitimate buyer access the concert? It cannot access the concert. The biometric comparison between the photo captured at the access
door and the biometric QR would not be satisfactory, obtaining a low similarity score.
The ticket buyer loses his ticket. Can a person who finds it access the concert? You cannot access the concert. As in the previous case, the biometric comparison between the photo captured at the access door and the biometric QR would not be satisfactory, obtaining a low similarity score.
The buyer of the ticket cannot attend the concert and decides to return the ticket or sell it by the legal means established for this purpose. How can it be articulated?
The service provider should establish an inbound return or delegation process for the ticket. In
other words, a process that allows the already purchased ticket to be authenticated in order to return it or transfer it to another person. This authentication process would consist on validating the ownership of the ticket by using a selfie photo and the biometric QR of the entrance, thus allowing the return of the money or the transfer to another third person. This third person would carry out a process of generating their biometric QR following the usual process.
The concert is repeated on Friday and Saturday. The user bought the ticket for Friday. Can the user also access the concert on Saturday?
You cannot access the concert, as long as the service provider establishes a validity date for the biometric QR and verifies it after reading the contextual data by das-FaceQR
The user gets the wrong access door to the concert facility. Can the user access the facility?
As in the previous case, you cannot access the concert, as long as the service provider sets the value of the access door in the contextual data and checks it after reading by das-FaceQR.
The ticket buyer manipulates the data of the seat number in the biometric QR to access a privileged area. Can the user access the concert?
The user cannot access the concert. The integrity check carried out by das-FaceQR verifies that the stored data, both the biometric credential and the contextual data have not been modified. This is done thanks to the signing of the data.
The user makes a fake biometric QR to access the concert. To do this, he uses a biometric credential that he previously used to travel by train and adds the contextual information associated with the concert. Can the user access the concert?
The user cannot access the concert. The integrity check carried out by das-FaceQR verifies that the stored data, both the biometric credential and the contextual data have not been modified. This is done thanks to the signing of the data. Additionally, the encryption of the biometric vector will be done with a different key for each client in future versions of das-FaceQR. This implies that decryption of the biometric vector with the password of the company which organizes the concert would not be possible, since the biometric vector was originally encrypted with the password of the railway transport company.