WO2001091398A2 - Authentication system and method - Google Patents

Authentication system and method Download PDF

Info

Publication number
WO2001091398A2
WO2001091398A2 PCT/IB2001/000903 IB0100903W WO0191398A2 WO 2001091398 A2 WO2001091398 A2 WO 2001091398A2 IB 0100903 W IB0100903 W IB 0100903W WO 0191398 A2 WO0191398 A2 WO 0191398A2
Authority
WO
WIPO (PCT)
Prior art keywords
user
passcode
facility
authentication
server
Prior art date
Application number
PCT/IB2001/000903
Other languages
French (fr)
Other versions
WO2001091398A3 (en
Inventor
Gavin Walter Ehlers
Walter Bam Smuts
Original Assignee
Expertron Group (Pty) Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Expertron Group (Pty) Ltd filed Critical Expertron Group (Pty) Ltd
Priority to EP01932002A priority Critical patent/EP1290850A2/en
Priority to CA002410431A priority patent/CA2410431A1/en
Priority to US10/296,364 priority patent/US20030172272A1/en
Priority to JP2001586866A priority patent/JP2003534589A/en
Priority to AU2001258681A priority patent/AU2001258681A1/en
Publication of WO2001091398A2 publication Critical patent/WO2001091398A2/en
Publication of WO2001091398A3 publication Critical patent/WO2001091398A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • THIS invention relates to an authentication system and method, and in particular to a system for and method of authenticating a user's identity by using a mobile communication device as an authentication token.
  • Typical systems for allowing a user to access a secure service are computer- based systems comprising client and server computers.
  • client and server computers There are, however, three fundamental concerns when users need to utilise these systems, namely the authentication of the user (and/or client computer) making use of the secure service for allowing the server to confirm the identity of the user (and/or client computer); authentication of the server providing the secure service for allowing the user to confirm the identity of the server; and encryption of the communication channel between the server and the client computer, which is especially necessary when a high degree of confidentiality is required such as during a private transaction, or when messages need to be digitally signed.
  • the first of these three concerns namely the authentication of the user
  • Users usually identify themselves to servers by providing a "username" or "user number”. Since usernames and numbers are generally not kept secret, it would be relatively easy for an intruder to pose as another user and gain access to that user's secure service(s). To prevent this from happening, the identity of the user must be authenticated.
  • User authentication is usually done in one of three ways. The first is knowledge of confidential information, such that if the user can show that he or she is in possession of certain confidential information such as a password, a personal identification number (PIN), a cryptographic key or a certificate, which only the real user is supposed to know, it may act as proof of identity.
  • PIN personal identification number
  • a hardware device or token such as a magnetic card, a smart card, a cryptographic token or calculator, which only the real user is supposed to have, again this may act as proof of identity.
  • a measurement of a part of his or her body such as a fingerprint, a retina scan or a photograph, matches that of the real user, this may also act as proof of his or her identity.
  • Authentication systems and methods based on hardware tokens and biometric measurements are considered to be relatively "strong" because the identity of a user cannot be falsely authenticated by, for example, guessing confidential information.
  • token-based authentication the user can be assured that as long as he or she is in possession of the hardware token, access to his or her secure services by a third party is impossible.
  • biomet c-based authentication where the biometric measurement is encoded into some electronic format that is transmitted over open communication channels, this information must be encrypted to preserve its secrecy and prevent unauthorized use by an imposter. Although this is generally a very secure authentication system and method, it does require significant logistical and computational overheads associated with the encryption techniques.
  • the existing "strong" methods of authenticating users suffer from two practical problems, namely a distribution problem and a registration problem.
  • the distribution problem refers to the difficulty of "rolling out” the user authentication technology.
  • either secret keys, hardware tokens such as cryptographic tokens and calculators, software programs or devices such as card readers and biometric scanners must be distributed to all the users.
  • users are usually widely distributed. This creates logistical problems where, due to the difficulty of distributing the necessary software and/or devices to the users, the implementation and maintenance of these authentication systems are in many cases expensive and impractical.
  • the user base is large, for example, where users from among the general public make use of online Internet-based subscription services including, but not limited to, Internet banking, access to electronic media and literature, insurance services, stockbrokerage, investment and other financial services, health services, as well as other online technologies such as e-commerce as well as the submission of electronic forms such as for tax returns, for example.
  • online Internet-based subscription services including, but not limited to, Internet banking, access to electronic media and literature, insurance services, stockbrokerage, investment and other financial services, health services, as well as other online technologies such as e-commerce as well as the submission of electronic forms such as for tax returns, for example.
  • the registration problem refers to the difficulty in populating the authentication database with correct information. If the initial registration of information into this database is not a trustworthy process, the security of the authentication method is undermined.
  • the registration problem is particularly evident when users from a large user base, such as from among the general public, need to be authenticated for online services such as those listed above.
  • a particularly advantageous feature of any authentication system and method, particularly for Internet applications, would be the ability to authenticate users who have not yet registered for the authentication service, or at least to enable the user to register online in order to make immediate use of secure online services.
  • an authentication system for authenticating the identity of a user wishing to access a facility, the system comprising:
  • password generating means for generating a passcode, the passcode generating means being controlled by the control means; a first communications network between the user and the facility for providing the facility with the user identification information and the passcode;
  • a second communications network between the facility and the control means for receiving an authentication request and for allowing the control means to provide the facility with the passcode
  • a third communications network between the user and the control means for sending the same passcode that was sent by the control means to the facility, to the user, for allowing the user to send the passcode to the facility via the first communications network;
  • comparing means for allowing the facility to compare the passcode received from control means with the passcode received from the user so as to allow the user to access the facility in the event of there being match in the passcodes.
  • the database that includes user identification information and the passcode generating means are situated at a centralized authentication server.
  • the comparing means is situated at the facility, thereby allowing the facility to make a final decision as to whether to allow the user access to the facility.
  • the third communications network is a cellular communications network with the database including at least the user's name or an identification number and an associated cellular communication device contact number.
  • the third communications network is a GSM-based cellular network.
  • the authentication system includes a confidence value generating means for generating a confidence value reflecting the integrity of the authentication system, the confidence value being sent to the facility together with the passcode via the second communications network.
  • the authentication request includes the user identification information and a server name or address.
  • the passcode is a random number.
  • the passcode is a cryptographic digest of a message sent by the user to the facility, the system thereby also allowing authentication of the message sent by the user.
  • the authentication system includes session number generating means for generating a session number, the session number being sent to both the facility and the user via the second and third communications networks respectively, so as to allow the facility and the user to match the received passcode with the correct authentication session.
  • the authentication system includes logging means for logging each attempted authentication session so as to form an audit trail.
  • the third communications network is selected from the group comprising a local area network (LAN), a wide area network (WAN) and the Internet.
  • LAN local area network
  • WAN wide area network
  • the Internet the Internet
  • an authentication method for authenticating the identity of a user wishing to access a facility comprising the steps of: prompting the user to provide the facility with user identification information;
  • the step of providing the user with the passcode includes the step of transmitting the passcode over a cellular communications network.
  • the method includes the step of generating a session number, the session number being sent to both the facility and the user so as to allow the facility and the user to match the received passcode with the correct authentication session.
  • the method includes the step of generating a confidence value reflecting the integrity of the authentication method, the confidence value being sent to the facility together with the passcode.
  • the step of the facility requesting authentication from a third party includes the steps of providing the third party with the user identification information and a server name or address.
  • the step of generating a passcode includes the step of generating a random number.
  • the step of computing a passcode includes the step of generating a cryptographic digest based on a message sent by the user to the facility.
  • the method includes the step of logging each attempted authentication session so as to form an audit trail.
  • the authentication system 10 of the invention allows the identity of a user 12 to be authenticated when the user 12 is seeking access to a secure service that is hosted on one of a plurality of internet protocol (IP) servers 14.
  • IP internet protocol
  • the IP servers 14 correspond to the computer system 16 that provides the secure service over an IP network, and may be a file server, mail server, print server, remote access server, web server, or any other suitable server.
  • the user 12, typically via his or her computer 18, interacts with the IP servers 14 via an IP network 20, which in broad terms relates to any communication infrastructure through which the user 12 can access the IP servers 14.
  • the IP network 20 will take the form of a local area network (LAN), a wide area network (WAN) or the Internet.
  • the authentication system 10 includes an authentication server 22, which is a centralized computer system 24 that performs most of the authentication used in the present invention.
  • the authentication server 22 is able to provide an authentication service to many IP servers 14, and this ensures that the present invention can be implemented on a broad basis.
  • the authentication system 10 of the present invention makes use of a user database, which is provided at the authentication server 22 or at a separate, dedicated database server.
  • the primary purpose of the user database is to match the name of the user 12 with an associated mobile communication device network number.
  • the user 12 database can be populated by an administrator, or by the users themselves. However, when users 12 register on the user database, the correctness of the information must be confirmed from third party sources such as databases of mobile communication network service providers, banks or any other trustworthy source of information.
  • a crucial element of the present invention is the provision of two separate communication channels, the first being the IP network 20 described above.
  • the second channel is a mobile communications channel 26 that utilises a mobile communication device 28 that will allow the authentication server 22 to communicate with the user 12.
  • mobile communication device 28 is meant to include, but not be limited to, cellular telephones operating with a valid SIM card, pagers and beepers.
  • any mobile device 28 that can be used to communicate and which is registered against the name of the user 12 can be used as proof of the identity of the user 12 or person trying to access the secure service.
  • This communication infrastructure will typically be a GSM cellular network.
  • this mobile communication infrastructure is used as a separate communication channel, and is used to provide the user 12 with a one-time passcode during the authentication process, as will be explained in detail further below.
  • the passcode can be either a random number, or can be a cryptographic digest of the information offered by the user. In the case of the cryptographic digest, the passcode forms an authentication signature of the contents of the message.
  • the IP servers 14, which refers to all servers that make use of the authentication system 10 of the present invention, make use of software, also known as a "thin authentication client". This software redirects the authentication process, which would typically have taken place at the IP server 14 itself, to the authentication server 22.
  • the authentication system 10 thus uses a mobile communication device 28 as an authentication token to authenticate the identity of a user 12 trying to gain access to a computer/network service 14 and/or the contents of a message provided by the user There are two mam steps that are used in the authentication process, namely registration and the actual authentication
  • the user's details including, but not limited to, a username or number and his or her mobile communication device network number, such as a mobile telephone number, are registered in the user database
  • the details submitted by the user to the database must be confirmed by another source This is done by asking the user to fax and/or post information such as mobile telephone account statements, credit card statements, etc, and/or by querying other databases such as those from mobile communication network service providers and banks Every time the information is confirmed, a confidence value reflecting the integrity of the confirmation method is adjusted and updated in the database
  • the process commences with the user 12 requesting access from his or her computer 18, via the IP network 20, to the desired service 16 that in turn is a subscriber to the authentication system of the invention, by sending his or her username or number to the IP server 14 via the IP network 20
  • the user may optionally add additional information, such as account details and amounts during a commercial transaction, for example, as part of the request for access to services
  • This step is shown in general by 30
  • the IP server 14 then generates a request for confirmation of the user's identity, which it then sends to the authentication server, as indicated by 32.
  • the request includes the username and server name or address as well as any extra information the user may have offered.
  • the authentication server 22 then generates a random number or computes a cryptographic digest, based on the information offered by the user, with either the random number or the cryptographic digest being referred to as a passcode, as well as a session number.
  • the authentication server 22 then also queries the user database for the mobile communication device network number of the user 12, and sends the passcode and session number via the mobile communication network to the user's mobile communication device 28.
  • This step is indicated by 34, and can be done by using any one of a number of suitable GSM messaging services, such as SMS, USSD, GPRS, as well as pager/beeper messaging services.
  • the device for sending this information to the user is indicated generally by 36.
  • the same passcode, session number, as well as a confidence level are sent to the IP server 14, as shown by 38.
  • a different passcode is used for every new access attempt, with the passcode only being valid for a limited period of time.
  • the user 12 receives the passcode by his or her mobile communication device 28, he or she offers it, via the IP network 20, as a passcode to gain access to the secure service offered by the IP server 14. This is shown at 40.
  • the passcode which is typically in the form of a random number or a cryptographic digest, is generated in a cryptographically secure manner, and is used only once for a single, unique login session.
  • the IP server 14 compares the passcode that was offered by the user via the IP network 20 with the passcode that was generated for that particular login session by the authentication server 22. If the two codes are the same, it is concluded that the user 12 is in possession of the authentication token, typically the GSM SIM card, and can therefore positively be identified as the user whom he or she claims to be.
  • the authentication token typically the GSM SIM card
  • this digest when logged, forms a signature, which can be used to confirm the authenticity of the information offered by the user. If, however, the numbers do not match, or if a response is not received within a certain time interval, access is denied.
  • a level of confidence which is derived from a method used to confirm the user's details in the database, is returned to the provider of the service where it may be used to determine whether or not to grant access to the user.
  • the confidence level is a numerical value that is assigned according to the procedure by which the details of user 12 are registered in the user database. For example, numerical values between 0 and 100 may be assigned to the user 12 in such a manner: if the user's data are registered online via the Internet by the user him/herself, a confidence level of 0 is assigned, indicating the lowest level of confidence. If, however, the user submits copies of documents, such as mobile telephone account statements, credit card statements, etc, via fax, a confidence level of 10, for example, may be assigned.
  • submission of original documents by post, or proof of possession of original documents in person may further increase the confidence level.
  • the highest confidence level, 100 in this case could be assigned if original documents, together with required identification, are provided in person, and this information can be verified by querying other databases such as those from mobile communication network service providers and banks.
  • it is the provider of the service or facility who ultimately needs to decide whether or not to grant access to the service or facility.
  • the outcome of the access attempt is sent back to the authentication server 22 and logged in the user database, as indicated by 42.
  • the passcode can also be combined with a password or a PIN number to form a stronger two-factor authentication system.
  • Each step in the authentication process is logged to form an audit trail that can serve, for example, as evidence that a specific user has indeed used the service.
  • a user would not be able to deny that he or she used a certain service if access to that service was granted after providing, within a limited period of time, a passcode that was sent to his or her mobile communication device during a period for which the mobile communication device was not reported missing.
  • the passcode being based on a cryptographic digest of the information offered by the user
  • the logged passcode acts as a signature and confirmation of the contents of the information offered by the user.
  • the cryptographic transformation of only the correct information will result in a match with the logged passcode.
  • Every login session or access attempt is numbered with a pseudo-unique number, known as the session number.
  • the authentication server sends a message containing the passcode via the mobile communication network to the user's mobile communication device, it also includes the Session Number.
  • the thin authentication client, or the software on the IP server uses the same session number when prompting the user for the passcode. This enables the user to match the received passcode with the correct login session.
  • the authentication system thus provides a practical way to authenticate the identity of users of computer systems for applications including, but not limited to: 1. Dial-up remote access
  • remote dial-up access can potentially open up the corporate LAN/WAN to any person world-wide, and hence secure user authentication is critical in order to confirm the identity of personnel trying to gain access.
  • Access by authorized employees or external support personnel to corporate computer applications including, but not limited to, databases, FTP, E-mail, etc.
  • authenticating the identity of the user conducting the transaction provides an important business advantage.
  • the authenticity of information such as the transaction amounts and account numbers can be logged and shown.
  • the authentication system of the present invention thus provides a "strong" and secure user authentication by using the user's cellular telephone SIM card as an authentication token.
  • a cryptographically secure random number or passcode is sent via a separate channel to the user's cellular telephone ensure that only the user in possession of the GSM SIM card can successfully authenticate his or her identity. Since every passcode is used once only, it cannot be re-used by an intruder.
  • a two-factor authentication mechanism results if the system is used in conjunction with a password or PIN number, which, it is envisaged, would be the preferred way in which the system would be used.
  • the disclosed system also addresses the distribution problem described above in that it uses existing cellular phones.
  • the registration problem is also addressed.
  • the present which makes use of existing infrastructure, such as hardware tokens and databases, is particularly suitable for applications that require secure authentication of users from large user bases, such as from among the general public.

Abstract

An authentication system (10) allows the identity of a user (12) to be authenticated when the user (12) is seeking access to a secure service provided by a server (14). The system (10) comprises two separate communications channels. The first channel is a network (20) for allowing the user (12) to communicate with the server (14). The second channel is a mobile communications channel (26) that utilises a mobile communications device (28) for allowing an authentication server (22) to communicate with the user (12). In use, when the user (12) requests access to the server (14), he or she sends a username to the server (14). The server (14) generates a request for the confirmation of the user's identity, which it sends to the authentication server (22). The authentication server (22) in turn generates a passcode and also queries a user database for the mobile communication device network number of the user (12). The server (22) sends the passcode via the mobile communication network to the user's mobile device (28) and to the server (14). Once the user (12) receives the passcode, he or she offers it as a passcode to the server (14), which compares the passcode that was offered by the user (12) with the passcode that it received from the authentication server (22). If the two codes are the same, the server (14) may allow access to the desired service or facility.

Description

AUTHENTICATION SYSTEM AND METHOD
BACKGROUND OF THE INVENTION
THIS invention relates to an authentication system and method, and in particular to a system for and method of authenticating a user's identity by using a mobile communication device as an authentication token.
Typical systems for allowing a user to access a secure service are computer- based systems comprising client and server computers. There are, however, three fundamental concerns when users need to utilise these systems, namely the authentication of the user (and/or client computer) making use of the secure service for allowing the server to confirm the identity of the user (and/or client computer); authentication of the server providing the secure service for allowing the user to confirm the identity of the server; and encryption of the communication channel between the server and the client computer, which is especially necessary when a high degree of confidentiality is required such as during a private transaction, or when messages need to be digitally signed.
Generally, the first of these three concerns, namely the authentication of the user, is the most challenging. Users usually identify themselves to servers by providing a "username" or "user number". Since usernames and numbers are generally not kept secret, it would be relatively easy for an intruder to pose as another user and gain access to that user's secure service(s). To prevent this from happening, the identity of the user must be authenticated. User authentication is usually done in one of three ways. The first is knowledge of confidential information, such that if the user can show that he or she is in possession of certain confidential information such as a password, a personal identification number (PIN), a cryptographic key or a certificate, which only the real user is supposed to know, it may act as proof of identity. Secondly, if the user can show that he or she is in possession of a hardware device or token, such as a magnetic card, a smart card, a cryptographic token or calculator, which only the real user is supposed to have, again this may act as proof of identity. Finally, if the user can show that a measurement of a part of his or her body, such as a fingerprint, a retina scan or a photograph, matches that of the real user, this may also act as proof of his or her identity.
However, user authentication based on secret, confidential information is generally considered to be a weak authentication method because users are known to choose weak, easy-to-guess passwords, or to write down passwords, or to even share passwords. Furthermore, the user is never totally sure that a third party does not know his or her secret, confidential information.
Authentication systems and methods based on hardware tokens and biometric measurements are considered to be relatively "strong" because the identity of a user cannot be falsely authenticated by, for example, guessing confidential information. For token-based authentication, the user can be assured that as long as he or she is in possession of the hardware token, access to his or her secure services by a third party is impossible. For biomet c-based authentication where the biometric measurement is encoded into some electronic format that is transmitted over open communication channels, this information must be encrypted to preserve its secrecy and prevent unauthorized use by an imposter. Although this is generally a very secure authentication system and method, it does require significant logistical and computational overheads associated with the encryption techniques. The existing "strong" methods of authenticating users suffer from two practical problems, namely a distribution problem and a registration problem. The distribution problem refers to the difficulty of "rolling out" the user authentication technology. In all cases, either secret keys, hardware tokens such as cryptographic tokens and calculators, software programs or devices such as card readers and biometric scanners must be distributed to all the users. Usually there are many more users than servers, and where the servers may be centrally located, users are usually widely distributed. This creates logistical problems where, due to the difficulty of distributing the necessary software and/or devices to the users, the implementation and maintenance of these authentication systems are in many cases expensive and impractical. This is particularly true where the user base is large, for example, where users from among the general public make use of online Internet-based subscription services including, but not limited to, Internet banking, access to electronic media and literature, insurance services, stockbrokerage, investment and other financial services, health services, as well as other online technologies such as e-commerce as well as the submission of electronic forms such as for tax returns, for example.
Turning now to the registration problem mentioned above, all "strong" user authentication mechanisms use a database to match usernames or numbers with a cryptographic key, retina pattern, hardware token serial number, etc. The registration problem refers to the difficulty in populating the authentication database with correct information. If the initial registration of information into this database is not a trustworthy process, the security of the authentication method is undermined. The registration problem is particularly evident when users from a large user base, such as from among the general public, need to be authenticated for online services such as those listed above. A particularly advantageous feature of any authentication system and method, particularly for Internet applications, would be the ability to authenticate users who have not yet registered for the authentication service, or at least to enable the user to register online in order to make immediate use of secure online services.
For large, widely-distributed user bases making use of publicly-accessible, secure computer-based services which are centrally located, strong user authentication is a challenging problem to solve. Strong authentication of servers, especially where these servers are few and centrally located, can be solved in a practical and secure way by existing methods that are not affected by the distribution and registration problems. These methods typically utilise public-key cryptography (such as SSL), where public keys located on servers provide both strong authentication of the server to the user, as well as secrecy during the transaction. However, there still remains the residual problem of implementing practical, strong user authentication.
SUMMARY OF THE INVENTION
According to a first aspect of the invention there is provided an authentication system for authenticating the identity of a user wishing to access a facility, the system comprising:
control means;
a database that includes user identification information, the database being accessible by the control means;
password generating means for generating a passcode, the passcode generating means being controlled by the control means; a first communications network between the user and the facility for providing the facility with the user identification information and the passcode;
a second communications network between the facility and the control means for receiving an authentication request and for allowing the control means to provide the facility with the passcode;
a third communications network between the user and the control means for sending the same passcode that was sent by the control means to the facility, to the user, for allowing the user to send the passcode to the facility via the first communications network; and
comparing means for allowing the facility to compare the passcode received from control means with the passcode received from the user so as to allow the user to access the facility in the event of there being match in the passcodes.
Typically, wherein the control means, the database that includes user identification information and the passcode generating means are situated at a centralized authentication server.
Preferably, the comparing means is situated at the facility, thereby allowing the facility to make a final decision as to whether to allow the user access to the facility.
Conveniently, the third communications network is a cellular communications network with the database including at least the user's name or an identification number and an associated cellular communication device contact number. Typically, the third communications network is a GSM-based cellular network. Advantageously, the authentication system includes a confidence value generating means for generating a confidence value reflecting the integrity of the authentication system, the confidence value being sent to the facility together with the passcode via the second communications network.
Typically, the authentication request includes the user identification information and a server name or address.
In one form of the invention, the passcode is a random number. Alternatively, the passcode is a cryptographic digest of a message sent by the user to the facility, the system thereby also allowing authentication of the message sent by the user.
Preferably, the authentication system includes session number generating means for generating a session number, the session number being sent to both the facility and the user via the second and third communications networks respectively, so as to allow the facility and the user to match the received passcode with the correct authentication session.
Typically, the authentication system includes logging means for logging each attempted authentication session so as to form an audit trail.
Advantageously, the third communications network is selected from the group comprising a local area network (LAN), a wide area network (WAN) and the Internet.
According to a second aspect of the invention there is provided an authentication method for authenticating the identity of a user wishing to access a facility, the method comprising the steps of: prompting the user to provide the facility with user identification information;
sending a request for authentication from the facility to a third party;
generating a passcode;
providing the passcode to the facility and to the user;
prompting the user to provide the facility with the passcode; and
comparing the passcode received by the user to the passcode received by the third party; and
allowing access to the facility in the event of there being a match between the two passcodes.
Preferably, the step of providing the user with the passcode includes the step of transmitting the passcode over a cellular communications network.
Typically, the method includes the step of generating a session number, the session number being sent to both the facility and the user so as to allow the facility and the user to match the received passcode with the correct authentication session.
Advantageously, the method includes the step of generating a confidence value reflecting the integrity of the authentication method, the confidence value being sent to the facility together with the passcode. Preferably, the step of the facility requesting authentication from a third party includes the steps of providing the third party with the user identification information and a server name or address.
In one form of the invention, the step of generating a passcode includes the step of generating a random number. Alternatively, the step of computing a passcode includes the step of generating a cryptographic digest based on a message sent by the user to the facility.
Preferably, the method includes the step of logging each attempted authentication session so as to form an audit trail.
BRIEF DESCRIPTION OF THE DRAWING
The only drawing shows a schematic view of the authentication process and system according to the present invention.
DESCRIPTION OF THE PREFERRED EMBODIMENT
Referring to the drawing, the authentication system 10 of the invention allows the identity of a user 12 to be authenticated when the user 12 is seeking access to a secure service that is hosted on one of a plurality of internet protocol (IP) servers 14. The IP servers 14 correspond to the computer system 16 that provides the secure service over an IP network, and may be a file server, mail server, print server, remote access server, web server, or any other suitable server. The user 12, typically via his or her computer 18, interacts with the IP servers 14 via an IP network 20, which in broad terms relates to any communication infrastructure through which the user 12 can access the IP servers 14. Typically, the IP network 20 will take the form of a local area network (LAN), a wide area network (WAN) or the Internet.
The authentication system 10 includes an authentication server 22, which is a centralized computer system 24 that performs most of the authentication used in the present invention. The authentication server 22 is able to provide an authentication service to many IP servers 14, and this ensures that the present invention can be implemented on a broad basis.
The authentication system 10 of the present invention makes use of a user database, which is provided at the authentication server 22 or at a separate, dedicated database server. The primary purpose of the user database is to match the name of the user 12 with an associated mobile communication device network number. The user 12 database can be populated by an administrator, or by the users themselves. However, when users 12 register on the user database, the correctness of the information must be confirmed from third party sources such as databases of mobile communication network service providers, banks or any other trustworthy source of information.
A crucial element of the present invention is the provision of two separate communication channels, the first being the IP network 20 described above. The second channel is a mobile communications channel 26 that utilises a mobile communication device 28 that will allow the authentication server 22 to communicate with the user 12. At present, it is envisaged that the phrase "mobile communication device" 28 is meant to include, but not be limited to, cellular telephones operating with a valid SIM card, pagers and beepers. In essence, though, any mobile device 28 that can be used to communicate and which is registered against the name of the user 12 can be used as proof of the identity of the user 12 or person trying to access the secure service. This communication infrastructure will typically be a GSM cellular network. Thus, this mobile communication infrastructure is used as a separate communication channel, and is used to provide the user 12 with a one-time passcode during the authentication process, as will be explained in detail further below.
The passcode can be either a random number, or can be a cryptographic digest of the information offered by the user. In the case of the cryptographic digest, the passcode forms an authentication signature of the contents of the message.
The IP servers 14, which refers to all servers that make use of the authentication system 10 of the present invention, make use of software, also known as a "thin authentication client". This software redirects the authentication process, which would typically have taken place at the IP server 14 itself, to the authentication server 22. The authentication system 10 thus uses a mobile communication device 28 as an authentication token to authenticate the identity of a user 12 trying to gain access to a computer/network service 14 and/or the contents of a message provided by the user There are two mam steps that are used in the authentication process, namely registration and the actual authentication
In the registration process, the user's details, including, but not limited to, a username or number and his or her mobile communication device network number, such as a mobile telephone number, are registered in the user database For employees of a company, this can be done by the system administrator and does not need confirmation from third-party sources outside the company For online Internet services where users from among the general public can register online, the details submitted by the user to the database must be confirmed by another source This is done by asking the user to fax and/or post information such as mobile telephone account statements, credit card statements, etc, and/or by querying other databases such as those from mobile communication network service providers and banks Every time the information is confirmed, a confidence value reflecting the integrity of the confirmation method is adjusted and updated in the database
The actual process involved in authenticating a user 12 and/or the contents of the information offered by the user will now be described The process commences with the user 12 requesting access from his or her computer 18, via the IP network 20, to the desired service 16 that in turn is a subscriber to the authentication system of the invention, by sending his or her username or number to the IP server 14 via the IP network 20 The user may optionally add additional information, such as account details and amounts during a commercial transaction, for example, as part of the request for access to services This step is shown in general by 30 The IP server 14 then generates a request for confirmation of the user's identity, which it then sends to the authentication server, as indicated by 32. The request includes the username and server name or address as well as any extra information the user may have offered.
The authentication server 22 then generates a random number or computes a cryptographic digest, based on the information offered by the user, with either the random number or the cryptographic digest being referred to as a passcode, as well as a session number. The authentication server 22 then also queries the user database for the mobile communication device network number of the user 12, and sends the passcode and session number via the mobile communication network to the user's mobile communication device 28. This step is indicated by 34, and can be done by using any one of a number of suitable GSM messaging services, such as SMS, USSD, GPRS, as well as pager/beeper messaging services. The device for sending this information to the user is indicated generally by 36.
The same passcode, session number, as well as a confidence level are sent to the IP server 14, as shown by 38. However, a different passcode is used for every new access attempt, with the passcode only being valid for a limited period of time.
Once the user 12 receives the passcode by his or her mobile communication device 28, he or she offers it, via the IP network 20, as a passcode to gain access to the secure service offered by the IP server 14. This is shown at 40. The passcode, which is typically in the form of a random number or a cryptographic digest, is generated in a cryptographically secure manner, and is used only once for a single, unique login session. The IP server 14 then compares the passcode that was offered by the user via the IP network 20 with the passcode that was generated for that particular login session by the authentication server 22. If the two codes are the same, it is concluded that the user 12 is in possession of the authentication token, typically the GSM SIM card, and can therefore positively be identified as the user whom he or she claims to be. If a cryptographic digest was computed, this digest, when logged, forms a signature, which can be used to confirm the authenticity of the information offered by the user. If, however, the numbers do not match, or if a response is not received within a certain time interval, access is denied.
A level of confidence, which is derived from a method used to confirm the user's details in the database, is returned to the provider of the service where it may be used to determine whether or not to grant access to the user. The confidence level is a numerical value that is assigned according to the procedure by which the details of user 12 are registered in the user database. For example, numerical values between 0 and 100 may be assigned to the user 12 in such a manner: if the user's data are registered online via the Internet by the user him/herself, a confidence level of 0 is assigned, indicating the lowest level of confidence. If, however, the user submits copies of documents, such as mobile telephone account statements, credit card statements, etc, via fax, a confidence level of 10, for example, may be assigned. Submission of original documents by post, or proof of possession of original documents in person, may further increase the confidence level. The highest confidence level, 100 in this case, could be assigned if original documents, together with required identification, are provided in person, and this information can be verified by querying other databases such as those from mobile communication network service providers and banks. Advantageously, therefore, it is the provider of the service or facility who ultimately needs to decide whether or not to grant access to the service or facility.
The outcome of the access attempt is sent back to the authentication server 22 and logged in the user database, as indicated by 42. The passcode can also be combined with a password or a PIN number to form a stronger two-factor authentication system.
Each step in the authentication process is logged to form an audit trail that can serve, for example, as evidence that a specific user has indeed used the service. Thus, a user would not be able to deny that he or she used a certain service if access to that service was granted after providing, within a limited period of time, a passcode that was sent to his or her mobile communication device during a period for which the mobile communication device was not reported missing. In the case of the passcode being based on a cryptographic digest of the information offered by the user, the logged passcode acts as a signature and confirmation of the contents of the information offered by the user. Thus a user cannot later deny having offered that information. The cryptographic transformation of only the correct information will result in a match with the logged passcode.
It is envisaged that in one form of the invention the registration and authentication processes above could be combined by asking the user for all the registration details during every authentication process.
Every login session or access attempt is numbered with a pseudo-unique number, known as the session number. When the authentication server sends a message containing the passcode via the mobile communication network to the user's mobile communication device, it also includes the Session Number. The thin authentication client, or the software on the IP server, uses the same session number when prompting the user for the passcode. This enables the user to match the received passcode with the correct login session.
The authentication system thus provides a practical way to authenticate the identity of users of computer systems for applications including, but not limited to: 1. Dial-up remote access
Access by authorized employees or external support personnel to corporate LANs/WANs via a remote-access dial-up connection. Thus, remote dial-up access can potentially open up the corporate LAN/WAN to any person world-wide, and hence secure user authentication is critical in order to confirm the identity of personnel trying to gain access.
2. Operating Systems
Access by authorized employees or external support personnel to corporate computer systems via, but not limited to, Telnet, RLOGIN, RSH, and X-Windows.
3. Application Software
Access by authorized employees or external support personnel to corporate computer applications including, but not limited to, databases, FTP, E-mail, etc.
4. Web-based Online Internet Subscription Services
Access to financial services such as internet banking and investment portals, online medical scheme services, online insurance and stockbrokerage services, electronic media and literature.
5. E-commerce
For online credit card transactions, where credit card issuers will not accept the risk of fraud and charge losses back to the merchants, authenticating the identity of the user conducting the transaction provides an important business advantage. When using a cryptographic transformation on the information offered by the user, as passcode, the authenticity of information such as the transaction amounts and account numbers can be logged and shown. The authentication system of the present invention thus provides a "strong" and secure user authentication by using the user's cellular telephone SIM card as an authentication token. In addition, the fact that a cryptographically secure random number or passcode is sent via a separate channel to the user's cellular telephone ensure that only the user in possession of the GSM SIM card can successfully authenticate his or her identity. Since every passcode is used once only, it cannot be re-used by an intruder. Furthermore, a two-factor authentication mechanism results if the system is used in conjunction with a password or PIN number, which, it is envisaged, would be the preferred way in which the system would be used.
In particular, the disclosed system also addresses the distribution problem described above in that it uses existing cellular phones. In addition, by confirming user details from existing databases, the registration problem is also addressed.
In addition, the present, which makes use of existing infrastructure, such as hardware tokens and databases, is particularly suitable for applications that require secure authentication of users from large user bases, such as from among the general public.

Claims

1. An authentication system for authenticating the identity of a user wishing to access a facility, the system comprising:
control means;
a database that includes user identification information, the database being accessible by the control means;
password generating means for generating a passcode, the passcode generating means being controlled by the control means;
a first communications network between the user and the facility for providing the facility with the user identification information and the passcode;
a second communications network between the facility and the control means for receiving an authentication request and for allowing the control means to provide the facility with the passcode;
a third communications network between the user and the control means for sending the same passcode that was sent by the control means to the facility, to the user, for allowing the user to send the passcode to the facility via the first communications network; and
comparing means for allowing the facility to compare the passcode received from control means with the passcode received from the user so as to allow the user to access the facility in the event of there being match in the passcodes.
2. An authentication system according to claim 1 wherein the control means, the database that includes user identification information and the passcode generating means are situated at a centralized authentication server.
3. An authentication system according to either one of the preceding claims wherein the comparing means is situated at the facility, thereby allowing the facility to make a final decision as to whether to allow the user access to the facility.
4. An authentication system according to any one of the preceding claims wherein the third communications network is a cellular communications network with the database including at least the user's name or an identification number and an associated cellular communication device contact number.
5. An authentication system according to claim 4 wherein the third communications network is a GSM-based cellular network.
6. An authentication system according to any one of the preceding claims that includes a confidence value generating means for generating a confidence value reflecting the integrity of the authentication system, the confidence value being sent to the facility together with the passcode via the second communications network.
7. An authentication system according to any one of the preceding claims wherein the authentication request includes the user identification information and a server name or address.
8. An authentication system according to any one of the preceding claims wherein the passcode is a random number.
9. A message authentication system according to any one of claims 1 to 7 wherein the passcode is a cryptographic digest of a message sent by the user to the facility, the system thereby also allowing authentication of the message sent by the user.
10. An authentication system according to any one of the preceding claims that includes session number generating means for generating a session number, the session number being sent to both the facility and the user via the second and third communications networks respectively, so as to allow the facility and the user to match the received passcode with the correct authentication session.
1 1. An authentication system according to any one of the preceding claims, which includes logging means for logging each attempted authentication session so as to form an audit trail.
12. An authentication system according to any one of the preceding claims wherein the third communications network is selected from the group comprising a local area network (LAN), a wide area network (WAN) and the Internet.
13. An authentication method for authenticating the identity of a user wishing to access a facility, the method comprising the steps of:
prompting the user to provide the facility with user identification information; sending a request for authentication from the facility to a third party;
generating a passcode;
providing the passcode to the facility and to the user;
prompting the user to provide the facility with the passcode; and
comparing the passcode received by the user to the passcode received by the third party; and
allowing access to the facility in the event of there being a match between the two passcodes.
14. An authentication method according to claim 13 wherein the step of providing the user with the passcode includes the step of transmitting the passcode over a cellular communications network.
15. An authentication method according to either one of claims 13 or 14, which includes the step of generating a session number, the session number being sent to both the facility and the user so as to allow the facility and the user to match the received passcode with the correct authentication session.
16. An authentication method according to any one of claims 13 to 15 that includes the step of generating a confidence value reflecting the integrity of the authentication method, the confidence value being sent to the facility together with the passcode.
17. An authentication method according to any one of claims 13 to 16 wherein the step of the facility requesting authentication from a third party includes the steps of providing the third party with the user identification information and a server name or address.
18. An authentication method according to any one of claims 13 to 17 in which the step of generating a passcode includes the step of generating a random number.
19. An authentication method according to any one of claims 13 to 17 in which the step of computing a passcode includes the step of generating a cryptographic digest based on a message sent by the user to the facility.
20. An authentication method according to any one of claims 12 to 19 which includes the step of logging each attempted authentication session so as to form an audit trail.
PCT/IB2001/000903 2000-05-24 2001-05-23 Authentication system and method WO2001091398A2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
EP01932002A EP1290850A2 (en) 2000-05-24 2001-05-23 Authentication system and method
CA002410431A CA2410431A1 (en) 2000-05-24 2001-05-23 Authentication system and method
US10/296,364 US20030172272A1 (en) 2000-05-24 2001-05-23 Authentication system and method
JP2001586866A JP2003534589A (en) 2000-05-24 2001-05-23 Authentication system and method
AU2001258681A AU2001258681A1 (en) 2000-05-24 2001-05-23 Authentication system and method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ZA200002559 2000-05-24
ZA2000/2559 2000-05-24

Publications (2)

Publication Number Publication Date
WO2001091398A2 true WO2001091398A2 (en) 2001-11-29
WO2001091398A3 WO2001091398A3 (en) 2002-06-06

Family

ID=25588758

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2001/000903 WO2001091398A2 (en) 2000-05-24 2001-05-23 Authentication system and method

Country Status (6)

Country Link
US (1) US20030172272A1 (en)
EP (1) EP1290850A2 (en)
JP (1) JP2003534589A (en)
AU (1) AU2001258681A1 (en)
CA (1) CA2410431A1 (en)
WO (1) WO2001091398A2 (en)

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003075539A1 (en) * 2002-02-28 2003-09-12 General Instrument Corporation Detection of duplicate client identities in a communication system
GB2387002A (en) * 2002-02-20 2003-10-01 1Revolution Group Plc Personal identification system and method using a mobile device
WO2003092216A1 (en) 2002-04-25 2003-11-06 Vasco Data Security, Inc. Methods and systems for secure transmission of information using a mobile device
WO2004039032A2 (en) * 2002-10-28 2004-05-06 OCé PRINTING SYSTEMS GMBH Method and arrangement for authenticating a control unit and transmitting authentication information messages to the control unit
JP2004173282A (en) * 2002-11-19 2004-06-17 Microsoft Corp Authentication of wireless device irrespective of transport
EP1445917A2 (en) * 2003-02-04 2004-08-11 RenderSpace - Pristop Interactive d.o.o. Identification system for admission into protected area by means of an additional password
WO2005020534A1 (en) * 2003-08-13 2005-03-03 Siemens Aktiengesellschaft Method and device for transmitting confidential and useful information y means of separate protected liaisons
WO2010064128A3 (en) * 2008-12-03 2011-01-27 Entersect Technologies (Pty) Ltd. Secure transaction authentication
KR20160148691A (en) * 2014-07-02 2016-12-26 알리바바 그룹 홀딩 리미티드 Dual channel identity authentication
EP3496022A1 (en) * 2017-12-08 2019-06-12 Idemia Identity & Security France Method for securing an electronic transaction
US11620672B2 (en) 2016-03-28 2023-04-04 Codebroker, Llc Validating digital content presented on a mobile device

Families Citing this family (78)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7133971B2 (en) * 2003-11-21 2006-11-07 International Business Machines Corporation Cache with selective least frequently used or most frequently used cache line replacement
US7444676B1 (en) 2001-08-29 2008-10-28 Nader Asghari-Kamrani Direct authentication and authorization system and method for trusted network of financial institutions
US8281129B1 (en) 2001-08-29 2012-10-02 Nader Asghari-Kamrani Direct authentication system and method via trusted authenticators
US20030163739A1 (en) * 2002-02-28 2003-08-28 Armington John Phillip Robust multi-factor authentication for secure application environments
US8238944B2 (en) * 2002-04-16 2012-08-07 Hewlett-Packard Development Company, L.P. Disaster and emergency mode for mobile radio phones
KR100842556B1 (en) * 2002-08-20 2008-07-01 삼성전자주식회사 Method for approving service using a mobile communication terminal equipment
US20050076198A1 (en) * 2003-10-02 2005-04-07 Apacheta Corporation Authentication system
FR2861236B1 (en) * 2003-10-21 2006-02-03 Cprm METHOD AND DEVICE FOR AUTHENTICATION IN A TELECOMMUNICATION NETWORK USING PORTABLE EQUIPMENT
US20070011334A1 (en) * 2003-11-03 2007-01-11 Steven Higgins Methods and apparatuses to provide composite applications
US20070067373A1 (en) * 2003-11-03 2007-03-22 Steven Higgins Methods and apparatuses to provide mobile applications
US7945675B2 (en) * 2003-11-03 2011-05-17 Apacheta Corporation System and method for delegation of data processing tasks based on device physical attributes and spatial behavior
JP3890398B2 (en) * 2004-02-19 2007-03-07 海 西田 Verification and construction of highly secure anonymous communication path in peer-to-peer anonymous proxy
WO2005114886A2 (en) * 2004-05-21 2005-12-01 Rsa Security Inc. System and method of fraud reduction
US20080282331A1 (en) * 2004-10-08 2008-11-13 Advanced Network Technology Laboratories Pte Ltd User Provisioning With Multi-Factor Authentication
US7370202B2 (en) * 2004-11-02 2008-05-06 Voltage Security, Inc. Security device for cryptographic communications
US8087068B1 (en) 2005-03-08 2011-12-27 Google Inc. Verifying access to a network account over multiple user communication portals based on security criteria
US8438633B1 (en) 2005-04-21 2013-05-07 Seven Networks, Inc. Flexible real-time inbox access
WO2006133515A1 (en) * 2005-06-16 2006-12-21 Cerebrus Solutions Limited A method of confirming the identity of a person
US8220042B2 (en) 2005-09-12 2012-07-10 Microsoft Corporation Creating secure interactive connections with remote resources
ITMI20051742A1 (en) * 2005-09-20 2007-03-21 Accenture Global Services Gmbh AUTHENTICATION ARCHITECTURE AND AUTHORIZATION FOR AN ACCESS PORT
US7917124B2 (en) * 2005-09-20 2011-03-29 Accenture Global Services Limited Third party access gateway for telecommunications services
WO2007044500A2 (en) 2005-10-06 2007-04-19 C-Sam, Inc. Transactional services
US10032160B2 (en) 2005-10-06 2018-07-24 Mastercard Mobile Transactions Solutions, Inc. Isolating distinct service provider widgets within a wallet container
US20130332343A1 (en) 2005-10-06 2013-12-12 C-Sam, Inc. Multi-tiered, secure mobile transactions ecosystem enabling platform comprising a personalization tier, a service tier, and an enabling tier
US7920583B2 (en) 2005-10-28 2011-04-05 Accenture Global Services Limited Message sequencing and data translation architecture for telecommunication services
US7702753B2 (en) * 2005-11-21 2010-04-20 Accenture Global Services Gmbh Unified directory and presence system for universal access to telecommunications services
US8255981B2 (en) * 2005-12-21 2012-08-28 At&T Intellectual Property I, L.P. System and method of authentication
US20080022414A1 (en) * 2006-03-31 2008-01-24 Robert Cahn System and method of providing unique personal identifiers for use in the anonymous and secure exchange of data
US8023927B1 (en) 2006-06-29 2011-09-20 Google Inc. Abuse-resistant method of registering user accounts with an online service
AU2007303059B2 (en) * 2006-10-06 2014-01-30 Fmr Llc Secure multi-channel authentication
US8006300B2 (en) 2006-10-24 2011-08-23 Authernative, Inc. Two-channel challenge-response authentication method in random partial shared secret recognition system
WO2008089450A1 (en) 2007-01-19 2008-07-24 United States Postal Services System and method for electronic transaction verification
US8510798B2 (en) * 2007-04-02 2013-08-13 Sony Corporation Authentication in an audio/visual system having multiple signaling paths
US8429713B2 (en) * 2007-04-02 2013-04-23 Sony Corporation Method and apparatus to speed transmission of CEC commands
US11257080B2 (en) 2007-05-04 2022-02-22 Michael Sasha John Fraud deterrence for secure transactions
US8533821B2 (en) 2007-05-25 2013-09-10 International Business Machines Corporation Detecting and defending against man-in-the-middle attacks
US8959584B2 (en) 2007-06-01 2015-02-17 Albright Associates Systems and methods for universal enhanced log-in, identity document verification and dedicated survey participation
US9398022B2 (en) 2007-06-01 2016-07-19 Teresa C. Piliouras Systems and methods for universal enhanced log-in, identity document verification, and dedicated survey participation
US8893241B2 (en) 2007-06-01 2014-11-18 Albright Associates Systems and methods for universal enhanced log-in, identity document verification and dedicated survey participation
US8056118B2 (en) * 2007-06-01 2011-11-08 Piliouras Teresa C Systems and methods for universal enhanced log-in, identity document verification, and dedicated survey participation
JP5184627B2 (en) 2007-06-26 2013-04-17 G3−ビジョン リミテッド Communication device, authentication system and method, and carrier medium
US20090106826A1 (en) * 2007-10-19 2009-04-23 Daniel Palestrant Method and system for user authentication using event triggered authorization events
US20090132365A1 (en) * 2007-11-15 2009-05-21 Microsoft Corporation Search, advertising and social networking applications and services
US8837465B2 (en) 2008-04-02 2014-09-16 Twilio, Inc. System and method for processing telephony sessions
EP3484135A1 (en) 2008-04-02 2019-05-15 Twilio Inc. System and method for processing telephony sessions
US8156550B2 (en) * 2008-06-20 2012-04-10 Microsoft Corporation Establishing secure data transmission using unsecured E-mail
US8656177B2 (en) * 2008-06-23 2014-02-18 Voltage Security, Inc. Identity-based-encryption system
CN101621564A (en) * 2008-07-04 2010-01-06 鸿富锦精密工业(深圳)有限公司 Method of preventing password leakage of mobile terminal (MT)
JP5425912B2 (en) * 2008-09-30 2014-02-26 ヒューレット−パッカード デベロップメント カンパニー エル.ピー. Authenticating services on a partition
MY178936A (en) * 2008-11-10 2020-10-23 Entrust Datacard Denmark As Method and system protecting against identity theft or replication abuse
US8712453B2 (en) * 2008-12-23 2014-04-29 Telecommunication Systems, Inc. Login security with short messaging
US20100269162A1 (en) 2009-04-15 2010-10-21 Jose Bravo Website authentication
US8789153B2 (en) * 2010-01-27 2014-07-22 Authentify, Inc. Method for secure user and transaction authentication and risk management
US8683609B2 (en) * 2009-12-04 2014-03-25 International Business Machines Corporation Mobile phone and IP address correlation service
US20110145899A1 (en) * 2009-12-10 2011-06-16 Verisign, Inc. Single Action Authentication via Mobile Devices
WO2011094869A1 (en) * 2010-02-05 2011-08-11 Lipso Systèmes Inc. Secure authentication system and method
US20120215658A1 (en) * 2011-02-23 2012-08-23 dBay Inc. Pin-based payment confirmation
US11514451B2 (en) 2011-03-15 2022-11-29 Capital One Services, Llc Systems and methods for performing financial transactions using active authentication
US8838988B2 (en) 2011-04-12 2014-09-16 International Business Machines Corporation Verification of transactional integrity
FR2976437B1 (en) * 2011-06-08 2014-04-18 Genmsecure METHOD FOR SECURING AN ACTION THAT AN ACTUATOR DEVICE MUST ACCOMPLISH AT A USER'S REQUEST
WO2013013171A2 (en) 2011-07-21 2013-01-24 United States Postal Service Content retrieval systems for distribution items
FR2978891B1 (en) * 2011-08-05 2013-08-09 Banque Accord METHOD, SERVER AND SYSTEM FOR AUTHENTICATING A PERSON
DE102011110898A1 (en) 2011-08-17 2013-02-21 Advanced Information Processing Systems Sp. z o.o. Method for authentication of e.g. robot, for providing access to services of e.g. information system, involves providing or inhibiting access of user to services of computer system based on authentication result
BR112014008941A2 (en) 2011-10-12 2017-05-02 C-Sam Inc platform that enables secure multilayer mobile transactions
US9832649B1 (en) * 2011-10-12 2017-11-28 Technology Business Management, Limted Secure ID authentication
US20140351138A1 (en) * 2011-11-16 2014-11-27 P97 Networks, Inc. Payment System for Vehicle Fueling
US9240970B2 (en) 2012-03-07 2016-01-19 Accenture Global Services Limited Communication collaboration
US10025920B2 (en) * 2012-06-07 2018-07-17 Early Warning Services, Llc Enterprise triggered 2CHK association
US8737962B2 (en) 2012-07-24 2014-05-27 Twilio, Inc. Method and system for preventing illicit use of a telephony platform
US8917826B2 (en) 2012-07-31 2014-12-23 International Business Machines Corporation Detecting man-in-the-middle attacks in electronic transactions using prompts
US9226217B2 (en) 2014-04-17 2015-12-29 Twilio, Inc. System and method for enabling multi-modal communication
DE102014210933A1 (en) * 2014-06-06 2015-03-19 Siemens Aktiengesellschaft A method for activating a user on a control panel of a medical device
CN104579691A (en) * 2015-01-28 2015-04-29 中科创达软件股份有限公司 BYOD mode control method, mobile device and system
BR102016015611B1 (en) * 2016-07-04 2022-04-05 Rpc Rede Ponto Certo Tecnologia E Serviços Ltda Mobile system for transactional updating of information on contactless chips
US11210412B1 (en) * 2017-02-01 2021-12-28 Ionic Security Inc. Systems and methods for requiring cryptographic data protection as a precondition of system access
DE102017105771A1 (en) 2017-03-17 2018-09-20 Deutsche Telekom Ag Access control procedure
US10455416B2 (en) * 2017-05-26 2019-10-22 Honeywell International Inc. Systems and methods for providing a secured password and authentication mechanism for programming and updating software or firmware
US11762973B2 (en) * 2021-11-16 2023-09-19 International Business Machines Corporation Auditing of multi-factor authentication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5668876A (en) * 1994-06-24 1997-09-16 Telefonaktiebolaget Lm Ericsson User authentication method and apparatus
EP0926611A2 (en) * 1997-12-23 1999-06-30 AT&T Corp. Method for validation of electronic transactions

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5668876A (en) * 1994-06-24 1997-09-16 Telefonaktiebolaget Lm Ericsson User authentication method and apparatus
EP0926611A2 (en) * 1997-12-23 1999-06-30 AT&T Corp. Method for validation of electronic transactions

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2387002A (en) * 2002-02-20 2003-10-01 1Revolution Group Plc Personal identification system and method using a mobile device
WO2003075539A1 (en) * 2002-02-28 2003-09-12 General Instrument Corporation Detection of duplicate client identities in a communication system
EP1504561A1 (en) * 2002-04-25 2005-02-09 Vasco Data Security Inc. Methods and systems for secure transmission of information using a mobile device
WO2003092216A1 (en) 2002-04-25 2003-11-06 Vasco Data Security, Inc. Methods and systems for secure transmission of information using a mobile device
EP1504561A4 (en) * 2002-04-25 2009-07-29 Vasco Data Security Inc Methods and systems for secure transmission of information using a mobile device
WO2004039032A2 (en) * 2002-10-28 2004-05-06 OCé PRINTING SYSTEMS GMBH Method and arrangement for authenticating a control unit and transmitting authentication information messages to the control unit
WO2004039032A3 (en) * 2002-10-28 2004-05-27 Oce Printing Systems Gmbh Method and arrangement for authenticating a control unit and transmitting authentication information messages to the control unit
US8429402B2 (en) 2002-10-28 2013-04-23 OCé PRINTING SYSTEMS GMBH Method and arrangement for authenticating a control unit and transmitting authentication information messages to the control unit
US7463879B2 (en) 2002-11-19 2008-12-09 Microsoft Corporation Transport agnostic authentication of wireless devices
JP2004173282A (en) * 2002-11-19 2004-06-17 Microsoft Corp Authentication of wireless device irrespective of transport
EP1445917A3 (en) * 2003-02-04 2004-10-06 RenderSpace - Pristop Interactive d.o.o. Identification system for admission into protected area by means of an additional password
EP1445917A2 (en) * 2003-02-04 2004-08-11 RenderSpace - Pristop Interactive d.o.o. Identification system for admission into protected area by means of an additional password
WO2005020534A1 (en) * 2003-08-13 2005-03-03 Siemens Aktiengesellschaft Method and device for transmitting confidential and useful information y means of separate protected liaisons
WO2010064128A3 (en) * 2008-12-03 2011-01-27 Entersect Technologies (Pty) Ltd. Secure transaction authentication
US8862097B2 (en) 2008-12-03 2014-10-14 Entersekt International Limited Secure transaction authentication
KR20160148691A (en) * 2014-07-02 2016-12-26 알리바바 그룹 홀딩 리미티드 Dual channel identity authentication
EP3164793A4 (en) * 2014-07-02 2018-03-14 Alibaba Group Holding Limited Dual channel identity authentication
KR101970123B1 (en) * 2014-07-02 2019-04-19 알리바바 그룹 홀딩 리미티드 Dual channel identity authentication
US10659453B2 (en) 2014-07-02 2020-05-19 Alibaba Group Holding Limited Dual channel identity authentication
US11620672B2 (en) 2016-03-28 2023-04-04 Codebroker, Llc Validating digital content presented on a mobile device
EP3496022A1 (en) * 2017-12-08 2019-06-12 Idemia Identity & Security France Method for securing an electronic transaction
FR3074944A1 (en) * 2017-12-08 2019-06-14 Idemia Identity & Security France METHOD FOR SECURING AN ELECTRONIC TRANSACTION

Also Published As

Publication number Publication date
WO2001091398A3 (en) 2002-06-06
EP1290850A2 (en) 2003-03-12
CA2410431A1 (en) 2001-11-29
JP2003534589A (en) 2003-11-18
AU2001258681A1 (en) 2001-12-03
US20030172272A1 (en) 2003-09-11

Similar Documents

Publication Publication Date Title
US20030172272A1 (en) Authentication system and method
US9900163B2 (en) Facilitating secure online transactions
US7373515B2 (en) Multi-factor authentication system
US7698565B1 (en) Crypto-proxy server and method of using the same
JP4668551B2 (en) Personal authentication device and system and method thereof
US6928546B1 (en) Identity verification method using a central biometric authority
US7610617B2 (en) Authentication system for networked computer applications
US5778065A (en) Method and system for changing an authorization password or key in a distributed communication network
EP1927211B1 (en) Authentication method and apparatus utilizing proof-of-authentication module
US5491752A (en) System for increasing the difficulty of password guessing attacks in a distributed authentication scheme employing authentication tokens
EP1102157B1 (en) Method and arrangement for secure login in a telecommunications system
WO2018048692A1 (en) Architecture for access management
US20080077791A1 (en) System and method for secured network access
JPH10336169A (en) Authenticating method, authenticating device, storage medium, authenticating server and authenticating terminal
JP2005532736A (en) Biometric private key infrastructure
US6611916B1 (en) Method of authenticating membership for providing access to a secure environment by authenticating membership to an associated secure environment
EP2070248B1 (en) System and method for facilitating secure online transactions
Kizza Authentication
EA046054B1 (en) METHOD FOR AUTHENTICATION OF TYFLOSPLAYER IN THE ONLINE LIBRARY OF "TALKING" BOOKS
WO2003061186A1 (en) Identity verification method using a central biometric authority
Guideline et al. Archived NIST Technical Series Publication
Know Bill Cheng

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

WWE Wipo information: entry into national phase

Ref document number: 200206256

Country of ref document: ZA

WWE Wipo information: entry into national phase

Ref document number: 2410431

Country of ref document: CA

WWE Wipo information: entry into national phase

Ref document number: 2001932002

Country of ref document: EP

Ref document number: 2001258681

Country of ref document: AU

WWE Wipo information: entry into national phase

Ref document number: 10296364

Country of ref document: US

WWP Wipo information: published in national office

Ref document number: 2001932002

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 2001932002

Country of ref document: EP