Patent Application
20150227924
To supplement the present disclosure, this application further incorporates entirely by reference the following commonly assigned patent applications:
In general, embodiments of the invention relate user authentication and, more particularly, to determining a user's authentication requirements/credentials for a specific service along an authentication continuum based on a current state of the user and/or service attributes.
User authentication is typically required when a user conducts a transaction using a debit/credit card or seeks access to network-based services that store or have access to information that is personnel and/or warrants protection from unauthorized access by others (e.g., an online or mobile banking service or the like). User authentication serves to validate that the individual conducting the transaction is the individual authorized to use the debit/credit card account or that the individual seeking access to the network-based service is the individual authorized to access the service. Typically, a user provides authentication credentials, otherwise referred to herein as authentication requirements, (e.g., a user ID and password), which are then compared to the user's securely stored authentication credentials and, if the authentication credentials provided by the user match the stored authentication credentials, the user is allowed to conduct the transaction or gain access to the network-based service.
In many instances, a burden is placed on the user providing the authentication requirements. Specifically, the user must remember their authentication credential or, in the event that the user forgets the authentication credentials undertake a procedure to recover the authentication credentials. Remembering the authentication credentials can become problematic if the user does not use the network service and/or conduct such transactions frequently or if the user is required to change their authentication credentials periodically in order to insure their security. In addition to problems associated with remembering authentication credentials, the mere process of entering such authentication credentials either at a point-of-sale (POS) location or at a gateway to network service entry can be a burdensome and risky endeavor. In some instances, entry of such authentication credentials can be an inefficient and time-consuming process. For example, if the user is implementing a handheld mobile device, such as smart cellular telephone or the like, to gain access to a network-based service, entry of the authentication credentials on the device requires the ability of the user to see the display and accurately enter the credentials via the downsized keypad. If the authentication credentials require different case lettering and/or non-alphanumeric characters for security purposes entry becomes even more daunting and prone to entry errors. Moreover, if the user repeatedly enters the authentication incorrectly, the network-service may see this as a security risk and bar the user from further attempts, thereby denying the user entry to the network-service.
In addition to user inefficiency problems, entering authentication credentials in a public setting, such as a POS location or via a mobile device, presents risks that the authentication credentials may be nefariously intercepted by someone in the vicinity.
In today's computing networking environments, especially in the mobile or wireless realm, the entity that provides the network service or the authenticating entity may have instantaneous availability to other information, besides the user-provided authentication credentials, which can serve to at least assist in validating the identity of the user. Therefore, a need exists to develop other methods, apparatus and computer program products for user authentication. The desired methods, apparatus and computer program products for user authentication should alleviate problems associated with inefficiencies in the current user authentication process and/or add additional security to the user authentication process. Further, the desired methods, apparatus and computer program products should leverage other information that the authenticating entity knows about the user at the time of the authentication request to assist in the authentication process. In this regard, the other information known about the user may serve to adjust the authentication requirements/credentials that the user must provide to gain access or, in some instances, eliminate the need for the user to provide authentication requirements/credentials.
The following presents a simplified summary of one or more embodiments in order to provide a basic understanding of such embodiments. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments, nor delineate the scope of any or all embodiments. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later.
Embodiments of the present invention address the above needs and/or achieve other advantages by providing apparatus, methods, computer program products or the like for determining a user's authentication requirements/credentials for a specific service request based on locating a point along an authentication continuum. The point along the authentication continuum defines the authentication requirements and is based on a current state of the user and/or service attributes. Thus, the present invention takes into account various factors and/or attributes, known at the time of service access request, to determine the degree of authentication/credentials required to access the service. The more or less that is known about the current state of the user, in comparison to historical data about the user, the more or less likely the user is, in fact, the user that is attempting to access the service and, thus, the authentication requirements required to access the service can be adjusted according (increased or decreased). Thus, the present invention serves to add efficiency to the user authentication, while at the same time imparting the requisite security required of a user authentication procedure.
An apparatus for determining user authentication requirements for accessing a service defines first embodiments of the invention. The apparatus includes a computing platform having a memory and a processor in communication with the memory. The apparatus further includes an authentication requirements module that is stored in the memory and is executable by the processor. The module is configured to receive a request for a user to perform a function requiring user authentication and, in response to receiving the request, determine at least one of (1) a current physical state of the user, or (2) attributes related to the function. The module is further configured to determine a location along an authentication continuum based at least in part on at least one of (1) the current physical state of the user, or (2) one or more attributes related to the function. The location along the authentication continuum defines authentication requirements. In response the determining the authentication requirements, the user is requested to provide the determined authentication requirements and is provided access to the service in response to the user providing the determined authentication requirements/credentials.
In specific embodiments of the apparatus, the authentication requirements module is further configured to receive a request for a user to perform a function requiring user authentication, wherein the function is one of (1) accessing a network-based service, or (3) conducting a financial transaction.
In other embodiments of the apparatus, the authentication requirements module is further configured to determine the one or more attributes related to the function, the attributes related to the function include at least one of (1) a type of financial transaction or network-based service, (2) a time of conducting the financial transaction or accessing the network-based service, or (3) an amount associated with the financial transaction. In other embodiments of the apparatus, the authentication requirements module is further configured to determine the current physical state of the user, the current physical state of the user is one or more of (1) a geographic location of the user, (2) movement of the user in a specified direction, (3) movement of a user across a specified boundary, or (4) change in geographic location by a specified amount.
In still further specific embodiments of the apparatus, the authentication requirements module is further configured to determine the location along the authentication continuum subjectively based additionally on user attributes, such as the user's historical financial transaction patterns or the like.
Moreover, in further embodiments of the apparatus, the authentication requirements module is further configured to determine the location along the authentication continuum, such that the location defines a predetermined level of authentication and the predetermined level of authentication defines the authentication requirements required for the user to perform the function. The level of authentication may be one of (1) a no-authentication-required level, (2) a partial authentication level, and (3) full authentication level, wherein the full authentication level requires standard authentication credentials and the partial authentication level requires less than the standard authentication credentials.
Additionally, in further specific embodiments the apparatus includes a function level module that is stored in the memory and executable by the processor. The function level module is configured to determine a level of the function to which the user is authorized to perform in response to the user meeting the authentication requirements, wherein the level of function provides for one of (1) a financial transaction amount limit, or (2) access to specified functionality within a network-based service.
A method for determining user authentication requirements for accessing a service defines second embodiments of the invention. The method includes receiving a request for a user to perform a function requiring user authentication and, in response to receiving the request, determining at least one of (1) a current physical state of the user, or (2) attributes related to the function. The method further includes determining a location along an authentication continuum based at least in part on at least one of (1) the current physical state of the user, or (2) one or more attributes related to the function. The location along the authentication continuum defines authentication requirements. In response the determining the authentication requirements, the user is requested to provide the determined authentication requirements and is provided access to the service in response to the user providing the determined authentication requirements/credentials.
In specific embodiments of the method, receiving the request further includes receiving a request for a user to perform a function requiring user authentication, such that the function is one of (1) accessing a network-based service, or (3) conducting a financial transaction.
In other specific embodiments of the method, determining attributes related to the function further includes determining the one or more attributes related to the function, the attributes related to the function include at least one of (1) a type of financial transaction or network-based service, (2) a time of conducting the financial transaction or accessing the network-based service, or (3) an amount associated with the financial transaction. In related embodiments of the method, determining the current physical state of the user further includes determining the current physical state of the user, the current physical state of the user is one or more of (1) a geographic location of the user, (2) movement of the user in a specified direction, (3) movement of a user across a specified boundary, or (4) change in geographic location by a specified amount.
In additional specific embodiments of the method, determining the location along the authentication continuum further includes determining the location along the authentication continuum subjectively based additionally on user attributes.
Moreover, in additional specific embodiments of the method, determining the location along the authentication continuum further includes determining the location along the authentication continuum, such that the location defines a predetermined level of authentication and the predetermined level of authentication defines the authentication requirements required for the user to perform the function. The level of authentication may be one of (1) a no-authentication-required level, (2) a partial authentication level, and (3) full authentication level. The full authentication level requires standard authentication credentials and the partial authentication level requires less than the standard authentication credentials.
In additional specific embodiments the method includes determining a level of the function to which the user is authorized to perform in response to the user meeting the authentication requirements. The level of function provides for one of (1) a financial transaction amount limit, or (2) access to specified functionality within a network-based service.
A computer program product including a non-transitory computer-readable medium defines third embodiments of the invention. The computer-readable medium includes a first set of codes for causing a computer to receive a request for a user to perform a function requiring user authentication. The computer-readable medium additionally includes a second set of codes for causing a computer to, in response to receiving the request, determine at least one of (1) a current physical state of the user, or (2) attributes related to the function. In addition, the computer-readable medium includes a third set of codes for causing a computer to determine a location along an authentication continuum based at least in part on at least one of (1) the current physical state of the user, or (2) one or more attributes related to the function. The location along the authentication continuum defines authentication requirements. In response the determining the authentication requirements, the user is requested to provide the determined authentication requirements and is provided access to the service in response to the user providing the determined authentication requirements/credentials.
Thus, systems, apparatus, methods, and computer program products herein described in detail below provide for determining a user's authentication requirements/credentials for a specific service access request based on determining a location along a an authentication continuum. The location along the authentication continuum defines the degree of authentication/credentials required to access the service and is determined based on a current state of the user and/or service attributes. The more or less that is known about the current state of the user, in comparison to historical data about the user, the more or less likely the user is, in fact, the user that is attempting to access the service and, thus, the authentication requirements required to access the service can be adjusted according (increased or decreased).
To the accomplishment of the foregoing and related ends, the one or more embodiments comprise the features hereinafter fully described and particularly pointed out in the claims. The following description and the annexed drawings set forth in detail certain illustrative features of the one or more embodiments. These features are indicative, however, of but a few of the various ways in which the principles of various embodiments may be employed, and this description is intended to include all such embodiments and their equivalents.
Having thus described embodiments of the invention in general terms, reference will now be made to the accompanying drawings, which are not necessarily drawn to scale, and wherein:
Embodiments of the present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which some, but not all, embodiments of the invention are shown. Indeed, the invention may be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will satisfy applicable legal requirements. Like numbers refer to like elements throughout. Although some embodiments of the invention described herein are generally described as involving a “financial institution,” one of ordinary skill in the art will appreciate that the invention may be utilized by other businesses that take the place of or work in conjunction with financial institutions to perform one or more of the processes or steps described herein as being performed by a financial institution.
As will be appreciated by one of skill in the art in view of this disclosure, the present invention may be embodied as an apparatus (e.g., a system, computer program product, and/or other device), a method, or a combination of the foregoing. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.), or an embodiment combining software and hardware aspects that may generally be referred to herein as a “system.” Furthermore, embodiments of the present invention may take the form of a computer program product comprising a computer-usable storage medium having computer-usable program code/computer-readable instructions embodied in the medium.
Any suitable computer-usable or computer-readable medium may be utilized. The computer usable or computer readable medium may be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device. More specific examples (e.g., a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection having one or more wires; a tangible medium such as a portable computer diskette, a hard disk, a time-dependent access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a compact disc read-only memory (CD-ROM), or other tangible optical or magnetic storage device.
Computer program code/computer-readable instructions for carrying out operations of embodiments of the present invention may be written in an object oriented, scripted or unscripted programming language such as Java, Perl, Smalltalk, C++ or the like. However, the computer program code/computer-readable instructions for carrying out operations of the invention may also be written in conventional procedural programming languages, such as the “C” programming language or similar programming languages.
Embodiments of the present invention are described below with reference to flowchart illustrations and/or block diagrams of methods or apparatuses (the term “apparatus” including systems and computer program products). It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a particular machine, such that the instructions, which execute by the processor of the computer or other programmable data processing apparatus, create mechanisms for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture including instructions, which implement the function/act specified in the flowchart and/or block diagram block or blocks.
In those embodiments in which the apparatus comprises or is in communication with a mobile communication device, the user of the mobile device may be identified by gathering device identification information from the mobile device to generate the device's “fingerprint,” or unique signature of the mobile device. Device identification information may be collected from a variety of sources. In some embodiments, the device identification information includes an identification code. The identification code may be but is not limited to a serial number or an item number of the device. In some embodiments, the device identification information may be associated with a chip associated with the mobile device. The chip may be but is not limited to a subscriber identification module (SIM) card, removable hard drive, processor, microprocessor, or the like. In other embodiments, the device identification information may be associated with a removable part of the mobile device. Removable parts include but are not limited to detachable keyboards, battery covers, cases, hardware accessories, or the like. Removable parts may contain serial numbers or part numbers. In alternative embodiments, a unique key, code, or piece of software provided by a financial institution may be downloaded onto the mobile device. This unique key, code, or piece of software may then serve as device identification information. Typically, the device identification information (e.g., a serial number, an identification code, an International Mobile Station Equipment Identity (IMEI), a phone number, a chip, a removable part, or similar pieces of device identification information) is collected from the mobile device without requiring user input. For example, the device identification information may be automatically provided by the mobile device. Alternatively, the mobile device may provide the information without requiring user input after receiving a request from a system for the identification information. In other embodiments, device identification information may be entered manually at the mobile device. For example, if the mobile device's serial number cannot be automatically located (perhaps due to interference, long range, or similar hindrance), the user may be prompted for manual entry of the serial number (or an identification code, an International Mobile Station Equipment Identity (IMEI), a phone number, a chip, a removable part, or similar pieces of device identification information). The device identification information may be stored and subsequently used to identify the user of the mobile device.
The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions, which execute on the computer or other programmable apparatus, provide steps for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. Alternatively, computer program implemented steps or acts may be combined with operator or human implemented steps or acts in order to carry out an embodiment of the invention.
According to embodiments of the invention described herein, various systems, apparatus, methods, and computer program products are herein described for determining a user's authentication requirements/credentials for a specific service request based on locating a point along an authentication continuum. The point along the authentication continuum defines the authentication requirements and is based on a current state of the user and/or service attributes. Thus, the present invention takes into account various factors and/or attributes, known at the time of service access request, to determine the degree of authentication/credentials required to access the service. The more or less that is known about the current state of the user, in comparison to historical data about the user, the more or less likely the user is, in fact, the user that is attempting to access the service and, thus, the authentication requirements required to access the service can be adjusted according (increased or decreased). Thus, the present invention serves to add efficiency to the user authentication, while at the same time imparting the requisite security required of a user authentication procedure.
Referring to
In response to receiving the request, the module 18 is configured to determine the at least one of current physical state/condition of the user 24 and/or attributes related to the function 26 requiring access. The user is known to the module 18 since the service request is coming from a mobile communication device that is identifiable by procedures discussed previously. The current physical state 24 of the user may be determined by mechanisms disposed in the wireless communication device, such as location-determining mechanisms (Global Positioning System (GPS) device or the like), accelerometers, other sensors or the like. The current state of the user 24 may include but is not limited to, the location of the user (in relation to the mobile communication device), the direction of movement of the user, the movement of the user across a predetermined boundary line, the change in direction of the user or the like. Attributes related to the function 26 may include the type of service being accessed or type of transaction being conducted, the time (e.g., time of day, week, month, year or the like) of the access request or transaction, the amount of the transaction and the like.
Once the authentication requirements module 18 has determined at least one of the current physical state of the user 24 and/or attributes related to the function 26, the module 18 is further configured to determine a location 30 along an authentication continuum 28 based, at least in part, on at least one of (1) a current physical state/condition of the user 24, or (2) an attribute related to the function 26. The location along the authentication continuum defines the authentication requirements/credentials 32 required for the user to perform the function (i.e., access a service, conduct a transaction or the like). In specific embodiments of the invention, the authentication continuum is a sliding-scale continuum in which one end of the continuum is defined by no authentication required to perform the function, the opposite end of the continuum is defined by either full authentication required, heightened authentication required (i.e., additional authentication requirements beyond standard authentication requirements, e.g., additional personal information from the user or answers to out-of-wallet challenge questions) or no authentication allowed at this time and locations in between vary the degree/amount of authentication requirements required for the user to perform the function.
In specific embodiments of the invention, the location 30 along the authentication continuum 28 is an objective determination based on the at least one of the current physical state/condition of the user 24 and/or inclusion or omission of attributes related to the function 26. In other specific embodiments of the invention, the location 30 along the authentication continuum 28 is determined subjectively, implementing heuristics or the like, based on a totality of the current physical state/condition of the user 24, the attributes related to the function 26 and any other conditions/attributes or the like related to the user or the function which may affect the authentication requirements. Conditions/attributes related to the user are those that have an effect on validating the identity of the user and conditions attributes of the function are those that have an effect on the risk involved with the function or providing access to the function.
Referring to
The apparatus 10 includes computing platform 12 that can receive and execute routines and applications. Computing platform 12 includes memory 14, which may comprise volatile and nonvolatile memory such as read-only and/or random-access memory (RAM and ROM), EPROM, EEPROM, flash cards, or any memory common to computer platforms. Further, memory 14 may include one or more flash memory cells, or may be any secondary or tertiary storage device, such as magnetic media, optical media, tape, or soft or hard disk.
Further, computing platform 12 also includes at least one processor 16, which may be an application-specific integrated circuit (“ASIC”), or other chipset, processor, logic circuit, or other data processing device. Processor 16 or other processor such as ASIC may execute an application programming interface (“API”) layer (not shown in
As previously noted in relation to
In response to receiving the request, the module 18 is configured to determine the at least one of current physical state/condition of the user 24 and/or attributes related to the function 26 requiring access. The user is known to the module 18 since the service request is coming from a mobile communication device that is identifiable by procedures discussed previously. The current physical state 24 of the user may be determined by mechanisms disposed in the wireless communication device, such as location-determining mechanisms (Global Positioning System (GPS) device or the like), accelerometers, other sensors or the like. The current state of the user 24 may include but is not limited to, the geographic location of the user 38 (in relation to the mobile communication device), the movement of the user in a specified direction 44, the movement of the user across a predetermined boundary line 42, the change in location direction of the user 40 or the like.
Attributes related to the function 26 may include the type of service being accessed or type of transaction being conducted 46, the time (e.g., time of day, week, month, year or the like) of the access request or transaction 50, the amount of the transaction 52 and the like.
Once the authentication requirements module 18 has determined at least one of the current physical state of the user 24 and/or attributes related to the function 26, the module 18 is further configured to determine a location 30 along an authentication continuum 28 based, at least in part, on at least one of (1) a current physical state/condition of the user 24, or (2) an attribute related to the function 26. The location along the authentication continuum defines the authentication requirements/credentials 32 required for the user to perform the function (i.e., access a service, conduct a transaction or the like). In specific embodiments of the invention, the authentication continuum is a sliding-scale continuum in which one end of the continuum is defined by no authentication required to perform the function, the opposite end of the continuum is defined by either full authentication required, heightened authentication required (i.e., additional authentication requirements beyond standard authentication requirements, e.g., additional personal information from the user or answers to out-of-wallet challenge questions) or no authentication allowed at this time and locations in between vary the degree/amount of authentication requirements required for the user to perform the function.
In specific embodiments of the invention, the location 30 along the authentication continuum 28 is an objective determination based on the at least one of the current physical state/condition of the user 24 and/or inclusion or omission of attributes related to the function 26. In other specific embodiments of the invention, the location 30 along the authentication continuum 28 is determined subjectively 52, implementing heuristics or the like, based on a totality of the current physical state/condition of the user 24, the attributes related to the function 26 and any other conditions/attributes 54 or the like related to the user or the function which may affect the authentication requirements. Conditions/attributes 54 related to the user are those that have an effect on validating the identity of the user and conditions attributes 54 of the function are those that have an effect on the risk involved with the function or providing access to the function.
In further embodiments, the authentication module 18 may be configured to determine a level of authentication 56 from amongst a plurality of levels. Each level may be predetermined based on different authentication requirement criteria related to the state of the user or the attributes of the function. In specific embodiments of the invention, the levels of authentication 38 may define four levels of authentication, (1) no authentication level; (2) partial/soft authentication level, (3) full authentication level, and (4) heightened authentication level.
The no authentication level is configured such that the user is not required to provide authentication credentials to access the service. The partial authentication level is configured such that the user is required to provide to some, but less than full, authentication requirements/credentials to access the service. For example, if full authentication credentials (i.e., standard credentials normally required to access the service) comprise a username, and password, partial credentials may be limited to a less complex passcode, e.g., a four digit Personal Identification Number (PIN) or the like. The full authentication level is configured such that standard/normal authentication requirements/credentials are required for the user to perform the function. The heightened authentication level may require the user to input additional personal information or answers to out-of-wallet challenge questions.
In further embodiments the apparatus includes a function level module 58 that is stored in the memory 14 and is executable by the processor 16. The function level module 58 is configured to determine a level of functionality 60 available to the user upon the user meeting the determined authentication requirements. The level of functionality 60 defines functions available 62 to the user within the service may be independent of the determination of authentication requirements. The level of functionality 60 may define transactions (or transaction amount limits 64) that the user is authorized to conduct or information the user is authorized to access during the session.
Referring to
The apparatus 110 includes computing platform 112 that can receive and execute routines and applications. Computing platform 112 includes memory 114, which may comprise volatile and nonvolatile memory such as read-only and/or random-access memory (RAM and ROM), EPROM, EEPROM, flash cards, or any memory common to computer platforms. Further, memory 114 may include one or more flash memory cells, or may be any secondary or tertiary storage device, such as magnetic media, optical media, tape, or soft or hard disk.
Further, computing platform 112 also includes at least one processor 116, which may be an application-specific integrated circuit (“ASIC”), or other chipset, processor, logic circuit, or other data processing device. Processor 116 or other processor such as ASIC may execute an application programming interface (“API”) layer (not shown in
The memory 114 stores authentication requirements module 118 that is configured to determining a user's authentication requirements/credentials for a specific network access session based on the current location of the user in comparison to a user's normal boundary of location. The authentication requirements module 118 is configured to receive a request 120 from a mobile communication device for a user to access a network-based service that requires user authentication 122. The user authentication may be required to gain access to the network-service and/or to conduct a transaction on the network-service.
In response to receiving the request, the module 118 is configured to determine the current physical (i.e., geographic) location 124 of the user. The user is known to the module 18 since the service request is coming from a mobile communication device that is identifiable by procedures discussed previously. The current physical location 124 of the user may be determined by a location-determining mechanism (e.g., Global Positioning System (GPS) device or the like) in the mobile communication device or via wireless signals transmitted from the mobile device using triangulation methodology or the like.
Once the authentication requirements module 118 has the current physical location of the user 124, the module 118 is further configured to determine the proximity in distance 128 of the current physical location of the user 124 to a predetermined physical location 126. The module 118 may access a user profile to determine that the user is associated with one or more predetermined physical locations 126. The predetermined physical locations 126 are geographic areas in which the user is frequently located, for example the user's place of residence, the user's place of business or the like. Predetermined physical locations 126 may be predetermined based on user inputs that identify the location. In such embodiments a user who is travelling may designate specific physical location (e.g., a temporary residence or place of business) for a specific period of time (i.e., the travel period) and, as such, the predetermined physical locations may be temporal, in nature. In other embodiments of the invention, the predetermined physical locations may be determined intuitively in an automated fashion based on monitoring, over time, the location of the user in relation to their mobile device. In such embodiments, the user may notified (via an alert or the like) of such locations for the purpose of confirming the location as one in which less authentication requirements may be required to access a service.
The authentication requirements module 118 is further configured to determine the authentication requirements 130 (i.e., the authentication credentials required by the user) for the user to currently access the service based on the proximity in distance 128 of the current physical location of the user 124 to the predetermined physical location 126.
In specific embodiments of the invention, the authentication requirements module 18 to determine the minimal authentication requirements 132 for the user to access the service based on proximity in distance 128 of the current physical location of the user 124 to the predetermined physical location 126. In such embodiments of the invention, the minimal authentication requirements may be no authentication required or partial authentication required based on the user being located within the boundaries of the predetermined physical location 126. In such embodiment of the invention, in which the user gains access to the service by providing the minimal authentication requirements/credentials, the user may be provided access to decreased functionality 134 within the service (i.e., less than full functionality). Decreased functionality may limit the user in terms of the transactions they may conduct within the service, the transaction amounts and/or the information that is accessible to the user during the network session. In such embodiments of the invention, if the user desires full functionality within the service, the user may provide full authentication/requirements credentials.
In further embodiments, the authentication module 118 may be configured to determine a level of authentication 136 from amongst a plurality of levels. Each level may be defined by predetermined distance thresholds 138 from the predetermined physical location 126. The predetermined distance thresholds 138 may vary depending on the type or specificity of the predetermined physical location 126. In specific embodiments of the invention, the levels of authentication 38 may define three levels of authentication, (1) no authentication level; (2) partial/soft authentication level and (3) full authentication.
The no authentication level may be based on the user currently being physically located 124 within the boundaries of predetermined physical location 126. The no authentication level is configured such that the user is not required to provide authentication credentials to access the service. The partial authentication level may be based on (1) the user currently being physically located 124 within the boundaries of the predetermined physical location 126, or (2) the user currently being physically located 124 outside of the predetermined location by a predetermined distance (i.e., first distance threshold). The predetermined distance is typically configured such that it represents a slight deviation from the boundaries of the predetermined physical location 126. The partial authentication level is configured such that the user is required to provide to some but less than full authentication requirements/credentials to access the service. For example, if full authentication credentials (i.e., standard credentials normally required to access the service) comprise a user ID, passcode and identification of a predetermined site key, partial credentials may be limited to user ID or the passcode or a led complex passcode, e.g., a four digit Personal Identification Number (PIN) or the like. The full authentication level may be based on the user currently being physically located 124 outside of the boundaries of predetermined physical area 126 by a predetermined distance. The predetermined distance is typically configured such that it indicates a significant deviation from the boundaries of the predetermined physical location. The full authentication level is configured such that the user is required to provide their designated full set of authentication requirements/credentials (i.e., the authentication requirements required if no other information is known about the user at the time of the request to access the service).
In alternate embodiments of the apparatus, the authentication requirements module 118 is configured to determine a point or location 142 along an authentication continuum 140 based, at least in part, on current location 124 of the user in relation to the boundaries of the predetermined physical location 126. The point or location 142 along the authentication continuum 140 defines the authentication requirements. In this regard, the authentication continuum may comprise a sliding scale such that one end of the continuum defines no authentication and the other end of the continuum defines full authentication. In such embodiments of the apparatus, other factors/attributes known about the user at the time of the request and/or attributes related to the service being accessed or the time of the service request may be used in the determination of the point or location along an authentication continuum 146. In such embodiments of the invention, the point/location along the authentication continuum 146 may be determined objectively (e.g., using distance and time thresholds) or subjectively, implementing heuristics or the like, to determine an optimal point along the authentication continuum based on the totality of information known about the user, the service or the environment at the time of the access request.
In further embodiments of the apparatus 110, the authentication module 118 is configured to determine authentication requirements 130 by determining that the current location of the user 124 is located within one of a plurality of zones of authentication. For example, a first zone of authentication 144 may be defined by the boundaries of the user's place of residence 146 and/or the user's place of business 148. It should be noted that the first zone may further delineated to a specific location within the place of residence (e.g., specific apartment building, room or the like) or a specific location with the place of business (e.g., a specific building or office within a building). The first zone of authentication may define the authentication requirements as either no authentication required or partial authentication (less than full authentication requirements/credentials). In another example, a second zone of authentication 150 may be defined by the residence of an individual associated with the user 152 (e.g., a friend, relative or the like) and/or a place of business consistently frequented by the user 154 (e.g., a grocery store, restaurant or the like). The second zone of authentication may define the authentication requirements as less than full authentication requirements and more than the authentication requirements required in the first zone.
In further embodiments the apparatus includes a service access module 156 that is stored in the memory 114 and is executable by the processor 116. The service access module 156 is configured to determine a level of access 158 available to the user upon the user meeting the determined authentication requirements. The level of access defines functionality available to the user within the service and may be based on the proximity in distance 160 of the current physical location of the user to the predetermined physical location. In such embodiments the determination of the level of access granted to the user may be independent of the determination of authentication requirements. While in other embodiments of the invention, the determination of the level of access may be independent of the determination of the proximity in distance 160 of the current physical location of the user to the predetermined physical location (i.e., the determination of level of access may be based on other factors/attributes related to the user's current state, the current environment/time, and/or the network service being accessed. The level of access may define transactions (or transaction limits) that the user is authorized to conduct or information the user is authorized to access during the session.
Referring to
The apparatus 210 includes computing platform 212 that can receive and execute routines and applications. Computing platform 212 includes memory 214, which may comprise volatile and nonvolatile memory such as read-only and/or random-access memory (RAM and ROM), EPROM, EEPROM, flash cards, or any memory common to computer platforms. Further, memory 214 may include one or more flash memory cells, or may be any secondary or tertiary storage device, such as magnetic media, optical media, tape, or soft or hard disk.
Further, computing platform 212 also includes at least one processor 216, which may be an application-specific integrated circuit (“ASIC”), or other chipset, processor, logic circuit, or other data processing device. Processor 216 or other processor such as ASIC may execute an application programming interface (“API”) layer (not shown in
The memory 214 stores authentication requirements module 218 that is configured to determine a user's authentication requirements/credentials for a specific mobile network access session based on the current location of the user in comparison to a known typical travel route of the user. The authentication requirements module 218 is configured to receive a request 220 for a user to access a network-based service that requires user authentication 222. The user authentication may be required to gain access to the network-service (e.g., an Internet-based service accessible via an application (i.e., “app”) executable on a user device, such as a mobile communication device) and/or to conduct a transaction on the network-service.
In response to receiving the request, the module 218 is configured to determine (1) the current physical (i.e., geographic) location 224 of the user and time 226 and (2) that the user of the apparatus is associated with a predetermined travel route 228 having location boundaries 230 and a time period 232. The user is known to the module 218 since the service request is coming from a mobile communication device that is identifiable by procedures discussed previously. As such the module 218 accesses a user profile, or a database of known travel routes, to determine that the user is associated with one or more predetermined travel route. The current physical location 224 of the user may be determined by a location-determining mechanism (e.g., Global Positioning System (GPS) device or the like) in the mobile communication device which sent the service access request or via wireless signals transmitted from the mobile communication device using triangulation methodology or the like.
Once the authentication requirements module 218 has determined that the user is associated with a predetermined travel route 228 and has determined the current physical location of the user 224 and the current time 226, the module 218 is further configured to determine the proximity in distance and time 234 of the current physical location of the user 224 and current time 226 to the predetermined travel route 228 (i.e., the location boundaries 230 and time period 232).
The authentication requirements module 218 is further configured to determine the authentication requirements 236 (i.e., the authentication credentials required by the user) for user to currently access the service based on the proximity in distance and time 234 of the current physical location of the user 224 and current time 226 to the predetermined travel route 228. In specific embodiments of the invention, the authentication requirements are defined by levels of authentication 238. In specific embodiments of the invention, the levels of authentication 238 may define three levels of authentication, (1) no authentication level 240; (2) partial/soft authentication level 242 and (3) full authentication 244.
The no authentication level 240 may be based on the user currently being physically located 124 within the predetermined location boundaries 230 of the travel route 228 and the current time 226 being within the time period 232 of the travel route 228. The no authentication level 240 is configured such that the user is not required to provide authentication credentials to access the service.
The partial authentication level 242 may be based on (1) the user currently being physically located 224 within the predetermined location boundaries 230 of the travel route 228 and the current time 226 being within the time period 232 of the travel route 228 or (2) the user currently being physically located 224 outside of the predetermined location boundaries 130 of the travel route 228 by a predetermined distance and/or the current time 226 being outside of the time period 232 by a predetermined allotted time. The predetermined distance and the predetermined allotted time are typically configured such that they are slight deviations from the location boundaries 230 and time period 232 of the travel route 228. The partial authentication level 240 is configured such that the user is required to provide to some but less than full authentication requirements/credentials to access the service. For example, if full authentication credentials (i.e., standard credentials normally required to access the service) comprise a user ID, passcode and identification of a predetermined site key, partial credentials may be limited to user ID or the passcode or a led complex passcode, e.g., a four digit Personal Identification Number (PIN) or the like.
The full authentication level 244 may be based on (1) the user currently being physically located 224 outside of the location boundaries 230 of travel route 228 by a predetermined distance and/or (2) the current time 226 being outside of the time period 232 of the travel route 228 by a predetermined time. The predetermined distance and the predetermined time are typically configured such that they are significant deviations from the location boundaries 230 and time period 232 of the travel route 228. The full authentication level 244 is configured such that the user is required to provide their designated full set of authentication requirements/credentials (i.e., the authentication requirements required if no other information is known about the user at the time of the request to access the service).
In alternate embodiments of the apparatus, the authentication requirements module 218 is configured to determine a point or location along an authentication continuum 246 based, at least in part, on current location 224 of the user and the current time 226 in relation to the location boundaries 230 and the time period 232 of the travel route 228. The point or location along the authentication continuum defines the authentication requirements. In this regard, the authentication continuum may comprise a sliding scale such that one end of the continuum defines no authentication and the other end of the continuum defines full authentication. In such embodiments of the apparatus, other factors/attributes known about the user at the time of the request and/or attributes related to the service being accessed or the time of the service request may be used in the determination of the point or location along an authentication continuum 246. In such embodiments of the invention, the point/location along the authentication continuum 246 may be determined objectively (e.g., using distance and time thresholds) or subjectively, implementing heuristics or the like, to determine an optimal point along the authentication continuum based on the totality of information known about the user, the service or the environment at the time of the access request.
In further embodiments the apparatus includes a service access module 248 that is stored in the memory 214 and is executable by the processor 216. The service access module 248 is configured to determine a level of access 250 available to the user upon the user providing the determined authentication requirements. The level of access defines functionality available to the user within the service 252 and may be based on the determined authentication requirements or may be determined independent of the determined authentication requirements. Functionality may be a transaction that the user is authorized to conduct or information the user is authorized to access during the session. The determination of the level of access 250 may take into account the proximity in distance and time of the user to the travel route, as well as other information known about the user or the user's current environment at the time of the access request.
Referring to
The apparatus 310 includes computing platform 312 that can receive and execute routines and applications. Computing platform 312 includes memory 314, which may comprise volatile and nonvolatile memory such as read-only and/or random-access memory (RAM and ROM), EPROM, EEPROM, flash cards, or any memory common to computer platforms. Further, memory 314 may include one or more flash memory cells, or may be any secondary or tertiary storage device, such as magnetic media, optical media, tape, or soft or hard disk.
Further, computing platform 312 also includes at least one processor 316, which may be an application-specific integrated circuit (“ASIC”), or other chipset, processor, logic circuit, or other data processing device. Processor 316 or other processor such as ASIC may execute an application programming interface (“API”) layer (not shown in
In addition, memory 314 stores authentication requirements module 318 that is configured to determine user authentication requirements/credentials for a specific mobile network access session based on the current location of the user being within a predefined area requiring altered (i.e., increased or decreased) authentication requirements. The authentication requirements module 318 is configured to receive a request 320 from a mobile communication device for a user to access a network-based service that requires user authentication 322. The user authentication may be required to gain access to the network-service and/or to conduct a transaction on the network-service.
In response to receiving the request, the module 318 is configured to determine the current physical (i.e., geographic) location 324 of the user. The user is known to the module 318 since the service request is coming from a mobile communication device that is identifiable by procedures discussed previously. The current physical location 324 of the user may be determined by a location-determining mechanism (e.g., Global Positioning System (GPS) device or the like) in the mobile communication device or via wireless signals transmitted from the mobile device using triangulation methodology or the like. In specific embodiments, the determination of the altered authentication requirements may be temporal (i.e., the altered authentication requirements in the predetermined physical area 326 exist only for a predetermined time period). In such embodiments, the module 318 is further configured to determine a current time 334.
Once the authentication requirements module 318 has the current physical location of the user 324, the module 318 is further configured to determine that the current physical location 324 is proximity to or within a predetermined physical area 326 having altered authentication requirements 328. In specific embodiments, certain geographic areas will be predetermined as requiring increased authentication requirements 330 or decreased authentication requirements 332 in comparison to standard authentication requirements used to access the service (i.e., the authentication requirements/credentials typically requested of a user absent any further knowledge about the state of the user). In such embodiments, the increased authentication requirements 330 may include a request for the user to provide further personnel data or answer out-of-wallet challenge questions. The decreased authentication requirements 332 may be that no authentication is required by the user to access the service or partial authentication (i.e., soft authentication) is required. Partial authentication is defined as some form of authentication credentials less than full/standard authentication credentials.
In specific embodiments of the invention, the predetermined physical area 326 may be defined by the service provider 338. For example, if the service provider is a financial institution providing an online or mobile banking service the financial institution may identify certain areas as high risk and require increased authentication requirements 330 in such areas. Examples of such high risk areas include, but are not limited to, areas having historically high rates of fraud 344, areas having unsecured wireless communication 342 and the like. In addition, the service provider may designate as area as requiring altered authentication requirements on a permanent basis or a temporary basis. For example, a service provider may designate a physical area where a heavily attended event is to be held as an area requiring increased authentication requirements for the time period over which the event will be held.
In other specific embodiments of the invention, the predetermined physical area 326 may be defined by the user 340. Such designation by the user may be permanent or temporary. For example, if the user is aware of upcoming travel plans, the user may designate travel routes or specific locations at the travel destination (i.e., hotels, residences, business offices) as areas requiring decreased authentication requirements 332. Further, if the upcoming travel plans are a one-time only occurrence the user may designate the locations as requiring decreased authentication requirements on a temporary basis (i.e., for a time period that expires at the conclusion of the travel period). However, if the travel occurs on a regular and/or ongoing basis (e.g., permanent vacation residence, same business travel destination or the like), the user may designate the locations as requiring decreased authentication requirements on a permanent basis or for designated continual time periods (e.g., certain times of week, month, year, or the like.)
In those embodiments of the invention in which the predetermined physical area 326 has altered authentication requirements 328 during a specified predetermined time period 336 (e.g., on a temporary basis or for designated time periods only), the module 318 is further configured to determine that the current time 334 is within the designate predetermined time period 336, such that the altered authentication requirements 328 designated for the predetermined time period 336 are invoked.
In further embodiments, the authentication module 318 may be configured to determine a level of authentication 346 from amongst a plurality of levels. Each level may be defined by predetermined based on distance threshold from the predetermined physical area 326. The predetermined distance thresholds may vary depending on the type or specificity of the predetermined physical area 326. In specific embodiments of the invention, the levels of authentication 338 may define three levels of authentication, (1) no authentication level; (2) partial/soft authentication level and (3) heightened authentication.
The no authentication level may be based on the user currently being physically located 324 within the boundaries of predetermined physical area 326. The no authentication level is configured such that the user is not required to provide authentication credentials to access the service. The partial authentication level may be based on (1) the user currently being physically located 324 within the boundaries of the predetermined physical location 326, or (2) the user currently being physically located 324 outside of the predetermined location by a predetermined distance. The partial authentication level is configured such that the user is required to provide to some, but less than full, authentication requirements/credentials to access the service. For example, if full authentication credentials (i.e., standard credentials normally required to access the service) comprise a username, and password, partial credentials may be limited to a less complex passcode, e.g., a four digit Personal Identification Number (PIN) or the like. The heightened authentication level may be based on the user currently being physically located 324 within the physical area 326 and may require the user to input additional personal information or answers to out-of-wallet challenge questions.
In further embodiments the apparatus includes a service access module 348 that is stored in the memory 314 and is executable by the processor 316. The service access module 348 is configured to determine a level of access 350 available to the user upon the user meeting the determined authentication requirements. The level of access 350 defines functionality available to the user within the service and may comprise decreased access to functionality 352 (compared to normal functionality) or increased access to functionality 354 (compared to normal functionality). In such embodiments the determination of the level of access 350 granted to the user may be independent of the determination of authentication requirements. The level of access may define transactions (or transaction limits) that the user is authorized to conduct or information the user is authorized to access during the session.
At Event 404, in response to receiving the request, a determination is made as to the current physical (i.e., geographic) location of the user. The current physical location of the user may be determined by a location-determining mechanism (e.g., Global Positioning System (GPS) device or the like) in the mobile communication device which sent the service access request or via wireless signals transmitted from the mobile communication device using triangulation methodology or the like.
At Event 406, once the determination is made of the current physical location of the user, a determination is made of the proximity in distance and time of the current physical location of the user and current time to a predetermined physical location associated with the user. As previously noted, the user is known to the module since the service request is coming from a mobile communication device that is identifiable by procedures discussed previously. As such the module accesses a user profile or the like to determine that the user is associated with one or more predetermined physical locations.
At Event 408, authentication requirements/credentials for the user to currently use as means to access the service are determined based on the proximity in distance of the current physical location of the user to the predetermined physical location. The authentication requirements/credentials determined may dictate that the user provide no authentication credentials to access the service, partial/soft authentication credentials or full authentication credentials based on the proximity in distance and/or time of the user to the predetermined physical location.
Thus, systems, apparatus, methods, and computer program products described above provide for determining a user's authentication requirements/credentials for a specific service access request based on determining a location along a an authentication continuum. The location along the authentication continuum defines the degree of authentication/credentials required to access the service and is determined based on a current state of the user and/or service attributes. The more or less that is known about the current state of the user, in comparison to historical data about the user, the more or less likely the user is, in fact, the user that is attempting to access the service and, thus, the authentication requirements required to access the service can be adjusted according (increased or decreased).
While certain exemplary embodiments have been described and shown in the accompanying drawings, it is to be understood that such embodiments are merely illustrative of and not restrictive on the broad invention, and that this invention not be limited to the specific constructions and arrangements shown and described, since various other changes, combinations, omissions, modifications and substitutions, in addition to those set forth in the above paragraphs, are possible.
Those skilled in the art may appreciate that various adaptations and modifications of the just described embodiments can be configured without departing from the scope and spirit of the invention. Therefore, it is to be understood that, within the scope of the appended claims, the invention may be practiced other than as specifically described herein.
