Not applicable.
Not applicable.
Not applicable.
Not applicable.
The present invention relates to authentication, and in particular, to systems and methods for authenticating a user using electronic readable identifiers.
Consumers and corporate users expect a secure environment when accessing private information like billing or financial data over a shared data network (e.g., the Internet). However, these same consumers and corporate users don't want to be inconvenienced by creating and remembering strong passwords, user IDs, or to perform multiple authentication steps.
Electronically Readable Identifiers such as bar codes and data matrices are used to encode and decode information that can be optically scanned, for example by using mobile devices.
Example embodiments simplify the user experience in accessing private accounts while keeping such access secure from unauthorized individuals.
Example embodiments will now be described with reference to the drawings summarized below. These drawings and the associated description are provided to illustrate example embodiments of the invention, and not to limit the scope of the invention.
The methods and systems of the present invention both improve conventional access security while simplifying and enhancing the user access experience. In addition, these methods substantially improve security when accessing online accounts from a voice and data terminal outside of the home such as a Personal Computer in an Internet Café.
Electronic Readable Identifiers (ERI) such as bar codes and data matrices are used to encode and decode information that can be optically scanned.] Embodiments described herein can be used with some or all of the currently known ERIs or any as yet undeveloped ERIs. This includes but is not limited to the following known electronically readable identifiers: Plessey, UPC-A, UPC-E, Codabar, Code 25 Non-interleaved 2 of 5, Code 25 Interleaved 2 of 5, Code 11, Code 39, Code 93, Code 128, Code 128A, Code 128B, Code 128C, CPC binary, DUN 14, EAN 2, EAN 5, EAN 8, EAN 13, GS1-128, GS1 DataBar, ITF-14, Latent Image Barcode, Pharmacode, PLANET, POSTNET, OneCode, MSI, PostBar, RM4SCC/KXX, Telepen, 3-DI, ArrayTag, Aztec Code, Small Aztec Code, bCODE, bullseye, Codablock, Code 1, Code 16K, Code 49, Color Code, CP Code, DataGlyphs, Datamatrix, Datastrip Code, Dot Code A, EZcode, High Capacity Color Barcode, HueCode, INTACTA.CODE, InterCode, MaxiCode, mCode, MiniCode, PDF417, Micro PDF417, PDMark, PaperDisk, Optar, QR Code, Semacode, SmartCode, Snowflake code, ShotCode, SuperCode, Trillcode, UltraCode, VeriCode, VSCode, and WaterCode.
Telephone Number Mapping (ENUM)—maps the telephone numbering system into the Internet addressing system.
International Mobile Equipment Identity (IMEI)—A unique identifier assigned to a given GSM or UMTS mobile phone. The IMEI number is used to identify the mobile device, and typically has no permanent or semi-permanent relation to the mobile phone subscriber.
Electronic Serial Number (ESN)—A number unique to a US-based mobile phone. The ESN number is used to identify the mobile device, and has no permanent or semi-permanent relation to the mobile phone subscriber.
Mobile Equipment Identifier (MEID) is a globally unique number identifying a CDMA mobile phone. MEIDs have replaced ESNs.
Web Site or Web is a term used throughout the following description. It is used to refer to a user-accessible network site that implements the basic World Wide Web standards for the coding and transmission of hypertext documents. These standards currently include HTML (the Hypertext Markup Language) and HTTP (the Hypertext Transfer Protocol). It should be understood that the term “site” is not intended to imply a single geographic location, as a Web or other network site can, for example, include multiple geographically distributed computer systems that are appropriately linked together. Furthermore, while the following descriptions relates to an embodiment utilizing the Internet and related protocols, other networks, such as networked interactive televisions, and other protocols may be used as well.
Further, while the following description refers to example networks and telephony standards and protocols, other standards and protocols can be used as well. The term phone Identifier (phone ID) can include a SIP address, a Skype address (or other peer-to-peer Internet telephony network address), a wireless phone number, an International number, an E. 164 phone number, an ENUM, an MEID, an IMEI, an ESN, or other yet undeveloped telephony address. While certain phone identifiers are referenced for purposes of illustration, other electronic addresses or locators can be used as well.
In addition, while references may be made to electronic scanners, e.g., the use of a mobile phone as a scanner, other electronic scanners and/or image capture devices can be used as well including the ability to capture an image displayed on the user's mobile device. In addition, unless otherwise indicated, the functions described herein may be performed by executable code and instructions stored in computer readable medium and running on one or more processor-based systems. However, state machines, and/or hardwired electronic circuits can also be utilized. Further, with respect to the example processes described herein, not all the process states need to be reached, nor do the states have to be performed in the illustrated order. Further, certain process states that are illustrated as being serially performed can be performed in parallel.
Similarly, while certain examples may refer to a personal computer system or data device, other computer or electronic systems can be used as well, such as, without limitation, an interactive television, a network-enabled personal digital assistant (PDA), a network game console, a networked entertainment device, a smart phone (e.g., with an operating system and on which a user can install applications) and so on. While certain references are made to certain example system components or services, other components and services can be used as well and/or the example components can be combined into fewer components and/or divided into further components.
In addition, while certain user inputs or gestures are described as being provided via phone key presses, data entry via a keyboard, or by clicking a computer mouse or button, optionally, user inputs can be provided using other techniques, such as by voice or otherwise.
While some examples refer to certain example messaging protocols (e.g., SMS or MMS) for illustrative purposes, other messaging protocols can be used as well (e.g., instant messaging, email, SMTP, etc.).
In addition, certain capabilities described herein make use of an authentication client application 800 hosted on a terminal (reference FIG. 1—e.g., a personal computer, a network personal digital assistant, a smart phone, or a mobile or wireless phone with an Internet connection, etc.) to assist in the user access to their private data. Optionally, a user can have multiple clients hosted on multiple computers or other hosts.
The functionality, operation, and implementation for an example authentication service will now be described in further detail.
As further illustrated, the authentication system includes a plurality of computer terminals 100. The computer terminals 100 can be a personal computer having a monitor, keyboard, a disk drive, and a data communication interface. In addition, the computer terminal 100 can be an interactive television, a networked-enabled personal digital assistant (PDA) or the like. The computer terminals 100 are connected to a data network 400 (e.g., the Internet or a corporate LAN or WAN).
In an example embodiment, an authentication client 800 connects to and communicates with a phone server 500 either directly via the wireless network 300 or indirectly by linking the wireless network 300 with the data network 400. The authentication client application 800, executing on a subscriber's mobile phone 200 or other host, can interact with the optical scanning capabilities of the mobile phone to receive an image or the content of an image. Optionally, the client 800 can be used to transmit data to the authentication system 900 (e.g., by transmitting a message over the Internet). Optionally, the client 800 can make the user's online presence known to the authentication system 900 (e.g., by periodically transmitting a message over the Internet to the authentication system 900). Optionally, the client 800 can be used to receive and store in a computer readable medium a password (e.g., an alpha numeric password, a user biometric, etc.) from the user. For example, the user invokes the application (if the application is not already active) and enters a password (e.g., by key pressing or speaking a password). Optionally, the client 800 can be used to receive and store in a computer readable medium a copy of a password from a service provider 600 that the user has previously registered with. For example, the authentication system transmits a message over a wireless data connection to the client or via a Short Message Service (SMS). SMS is a wireless messaging service that enables the transmission of messages between mobile subscribers (and their phones) and external systems such as electronic mail services and authentication systems. Optionally, the client 800 can display status, success, and failure messages to the user. Optionally, the client 800 provides interfaces through which a user can enter data and/or respond to messages. Optionally, the client's authentication capabilities can be integrated into and can be a part of another application (e.g., a telecommunications client or a contact management client).
In this example, the authentication servers 900 are optionally centralized at a given location, or distributed to a number of locations. The authentication system 900 can be a standalone system (e.g., an authentication system used by a number of service providers) or the authentication system is integrated into a service provider's internal systems (e.g., those systems employed to provide users online information access). Optionally, the authentication system is provided by a telecommunication carrier (e.g., Verizon) to service providers (e.g., banks). Optionally, there are no charges to use the authentication system. Optionally, the voice and/or data transactions between a user's mobile device and one or more authentication servers are not charged to the user but to the service provider or telecommunication carrier. Optionally, the authentication system is available to corporate employees of an enterprise and is not accessible by individuals outside of the enterprise. Optionally, the authentication system is connected to a data communication network 400 and a wireless network 300. The authentication system interconnects with the wireless network 300 using telecommunication interfaces (e.g., SS7) and via data communication networks using a secure router subsystem and an SMS server subsystem which optionally serves as a mail relay to transmit and receive SMS and MMS messages via a Short Message Service Center (e.g., an SMSC operated by a network carrier). These subsystems of the Authentication system are optionally interconnected via a Local Area Network (LAN), a Private Wide Area Private Network (WAN), and/or a Public Wide Area Network (e.g., Internet).
The authentication system in this example contains centralized databases and/or general-purpose storage areas, optionally including, but not limited to a customer/user database(s) 700. Optionally, the database(s) is not centralized and may be distributed geographically and/or over different systems. The database is optionally interconnected to the authentication system via a Local Area Network (LAN), a Private Wide Area Network (WAN), and/or a Public Wide Area Network (e.g., Internet).
Optionally, the authentication system includes a presence management subsystem. Presence managers optionally authenticate and track authentication client online presence and interact with a given authentication client (e.g., a client application hosted on a user's mobile phone) as information (e.g., passwords) is synchronized with the centralized databases to provide the user secure, reliable, and authentication and account updates.
Optionally, the authentication system includes access to other databases for additional levels of user verification. Optionally, the authentication system accesses name information from an SS7 Caller Name (CNAM) database and the hosting telecommunications carrier from the SS7 Local Number Portability database. The accessible information optionally includes phone identification information (e.g., from an SS7 LIDB (Line Information Data Base) or ENUM (Telephone Number Mapping) database). The chart below describes various example embodiments. The first column distinguishes each example by number. The second column summarizes the user interaction. The third column summarizes the corresponding data elements used for authentication. The fourth column summarizes for each example the resultant level of security. It should be understood that the herein examples list only certain variations of the present invention and are not to be limited to only these variations. Other example variations are possible, e.g., combing two or more variants from the examples listed below.
Before accessing his/her account, it is presumed (in this example) that the user established and configured an online account by, for example, contacting a bank representative or by another example (see
In this example embodiments and others, if the user changes their phone number (e.g. by purchasing a new phone), they contact their banking service provider via the web or phone and re-register their new phone identifier.
State 1. The user accesses the bank's web site which hosts an online banking service. In this example, the user browses to the bank's web site using a personal computer 100 connected to data network 400. Optionally, any data networking capable device can be used by the user including for example, a mobile phone with data networking capabilities.
State 2. The bank's web hosting server 600 records the user request in the subscriber database 700 or any similar data store along with a unique identifier for this user's web browser session (called the web Session ID or SID). Given the bank's web site is hosting many simultaneous online banking sessions, the unique SID distinguishes this user's online access from others. In an analogous fashion, different application services running on web server 600 sharing access to the phone server 500 are distinguished by assigning a Service Provider ID (SPI) to each. The SPI uniquely identifies the service provider and/or provides a data or phone network location for authentication. Example SPIs optionally include but are not limited to the following: the data network address of the bank's authentication system, the phone number of a call processing system connected to the bank's authentication system, and a unique 10 digit operating company number which can be used by a software application within the handset to lookup a destination network address.
The bank's web hosting server 600 passes this information to the phone server 500 for additional processing.
State 3. The phone server 500 receives the passed information from the bank's web hosting server 600 and creates an ERI for this user. In this example embodiment, the ERI is a data matrix. The phone server 500 encodes the information in the data matrix including but not limited to a unique web Session Identifier (SID) and a Service Provider Identifier (SPI).
State 4. The bank's web hosting server 600 merges the ERI onto the web page image and presents the web page 1000 to the user (see
State 5. The user scans the ERI 1300 displayed on the web page 1000. In this example, the customer uses his/her cell phone to perform the scanning (e.g., image capture) operation.
State 6. The scanned data matrix is decoded by one or more software programs 800 within the mobile device 200 interacting with the scanning subsystem of the mobile phone. The information extracted from the decoded data matrix is transmitted to the banking service provider phone server 500 using at least in part information included in the data matrix. In this example, the decoded information is transmitted to the banking service provider authentication server(s) 900 over a wireless data network.
In the same transmission or a subsequent transmission, the wireless phone ID of the mobile device is also transmitted to the phone server 500. Optionally, the wireless phone ID is the E.164 address. Optionally, the client application 800 hosted on the user's mobile phone 200 requests the user's Mobile Identification Number (MIN) from the telecommunication carrier providing wireless services to the user. The user's MIN is stored in the telecommunications carrier's Home Location Register (HLR). Optionally, the MIN is transmitted to the Authentication System 900. Alternatively, the authentication system 900 accesses the MIN by submitting a request using the user's phone ID using a separate and unique network connection (e.g., SS7) and the two MINs are compared. If the two MINs do not match, the user is denied access.
The wireless transmission of the decoded ERI information in this example is transmitted over the wireless network 300 using protocols including but not limited to a proprietary protocol or an open messaging protocol (e.g. Short Message Service, Multimedia Messaging Service, or SMTP).
State 7. The phone server 500 interfaces with the mobile phone 200 either directly through the wireless network 300 or (as is shown in this example) through the serial connection of the wireless network 300 trunked to the data network 400. The phone server 500 receives the user's mobile phone ID (or an equivalent phone identifier associated with the mobile phone) and the Web SID (and optionally other information) from the decoded data matrix which it passes to the bank's web hosting server 600.
State 8. The bank's web hosting server 600 looks up the SID in the previously stored table of active SIDs and compares the received mobile phone ID (or equivalent) with a list of user accounts in the database 700.
If a phone Identifier (ID) match is found a “Pass” indication is stored and the web server 600 grants the user access to his/her online account by changing the state of the user's web session (the web session identified by the SID) to logged in. The server 600 then opens the account and sends the selected user information to the user's data terminal 100.
If a phone ID match is not found, a “fail” indication is stored and the web server 600 rejects the login and optionally, presents a user access denied message on the user's terminal 100.
Optionally in State 8, a notification can be sent to the mobile phone 200 of the user. This notification can be a text message describing the successful or unsuccessful login attempt. In another example, the notification can trigger an application 800 on the mobile handset that provides a rich visual presentation of the successful or unsuccessful login. The notification can optionally include a phone number or web address that can be used by the user for additional assistance.
This example embodiment illustrates a technique for providing the user with simple and secure access to online content. With this embodiment the user is not required to remember or enter a customer ID and/or a password to access their online account.
In State 6, the scanned image of the ERI or data matrix in this example is transmitted directly to the phone server 500 where the SID is extracted by decoding the ERI. In this example embodiment, the user would need to explicitly specify the destination phone server 500 address when transmitting the scanned image.
During states 8-10, after confirming that the online user is registered in the user database 700, the web server 600 then sends a dynamically generated temporary password to the user's phone 200 and then sends a new password entry web form to the user's data terminal 100.
State 8. The web server 600 dynamically creates a password and transmits that password to the phone server 500.
State 9. The phone server 500 transmits the password to the user's mobile phone 200, for example by sending a message or by speaking the password during a voice call.
State 10. The web server 600 causes a web form to be displayed on the user's data terminal 100.
State 11. The user visually or audibly observes the received password displayed or played out on their phone 200, manually enters the information into the web form, and then submits the filled in form for review by the web server 600.
State 12. The web server 600 compares the password entered by the user with the dynamic password previously sent. If that they match, the web server then allows the user to access the authorized user information.
State 1. The user accesses the bank's web site which hosts an online banking service by browsing to the bank's web site using, by example, a personal computer 100.
State 2. The bank's web hosting server 600 causes a New Registration & Login web page 2000 (see
State 3. The user enters their unique customer identifier (CID) into the Customer ID Field 2300 and clicks the Login Button 2400.
State 4. The bank's web hosting server 600 looks up the CID in the user database 700 and records the login request event. The web hosting server 600 then forwards a request, along with the SPI for this service, to the phone server 500, requesting that an ERI image to be generated.
State 5. The phone server 500 receives the passed information from the bank's web hosting server 600 and creates an ERI for this user and service provider.
State 6. The bank's web hosting server 600 then merges the ERI onto the web page image and causes a new web page 3000 (see
State 7. The user scans the ERI 3100 displayed on the web page 3000. In this example, the user uses his/her cell phone to perform the scanning operation.
State 8. The scanned ERI image is decoded by client software 800 within the mobile device 200 and the extracted information is routed to the banking service provider's phone server 500 using at least in part information included in the ERI. In the same transmission or a subsequent transmission, the wireless phone identifier of the mobile device is also transmitted to the phone server 500.
State 9. The phone server 500 transmits the extracted parameters to the web server 600.
State 10. The bank's web hosting server 600 compares the received phone identifier with, in this example, the list of active login requests from State 4. If the comparison results in a match, the web server 600 presents the user information to the user's web browser displayed on their terminal 100.
It should be understood that the herein examples listed only certain variations of the present invention and are not to be limited to only these variations. Other example variations are possible, e.g., the use of an account identifier together with a stored password in the mobile device of the user or the use of an account identifier together with a stored biometric.
In addition, it should be understood that certain variations and modifications of the systems and processes described herein would suggest themselves to one of ordinary skill in the art. The scope of the present invention is not to be limited by the illustrations or the foregoing descriptions thereof.