U.S. patent application number 15/631598 was filed with the patent office on 2017-10-05 for mutual authentication of a user and service provider.
The applicant listed for this patent is Kachyng, Inc.. Invention is credited to Resh Wallaja.
Application Number | 20170286957 15/631598 |
Document ID | / |
Family ID | 44711413 |
Filed Date | 2017-10-05 |
United States Patent
Application |
20170286957 |
Kind Code |
A1 |
Wallaja; Resh |
October 5, 2017 |
Mutual Authentication of a User and Service Provider
Abstract
The present invention relates to a method and system for mutual
authentication of a user and service provider, said method
comprising acts of: authenticating an event by a key generation
module (KGM), said event is generated on a computing device by a
user, sending a shared secret of registered user for the event by
an authentication server to the key generation module (KGM),
generating one time key by the KGM for the event, transmitting the
one time key by appending the shared secret to registered user
mobile device, and performing at least one of: authenticating the
user for said event by the KGM when a registered user enters the
one-time key on the computing device within a predetermined time
period, or terminating the event upon receipt of predefined key
sequence from the mobile device.
Inventors: |
Wallaja; Resh; (San
Francisco, CA) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Kachyng, Inc. |
San Francisco |
CA |
US |
|
|
Family ID: |
44711413 |
Appl. No.: |
15/631598 |
Filed: |
June 23, 2017 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
15016205 |
Feb 4, 2016 |
9699183 |
|
|
15631598 |
|
|
|
|
13637998 |
Sep 28, 2012 |
9275379 |
|
|
PCT/IB11/51382 |
Mar 31, 2011 |
|
|
|
15016205 |
|
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06Q 20/401 20130101;
G06Q 20/20 20130101; H04L 9/0819 20130101; H04L 63/0869 20130101;
H04L 9/14 20130101; H04L 9/0861 20130101; H04L 63/18 20130101; H04L
9/3226 20130101; H04L 9/3228 20130101; H04L 9/321 20130101; G06Q
20/00 20130101; H04L 2209/56 20130101 |
International
Class: |
G06Q 20/40 20060101
G06Q020/40; G06Q 20/20 20060101 G06Q020/20; H04L 9/32 20060101
H04L009/32; H04L 9/08 20060101 H04L009/08; H04L 9/14 20060101
H04L009/14 |
Foreign Application Data
Date |
Code |
Application Number |
Mar 31, 2010 |
IN |
915/CHE/2010 |
Apr 22, 2010 |
IN |
154/CHE/2010 |
Claims
1. A computer-implemented method for authentication of an event,
the method comprising: receiving, at a key generation module (KGM),
a notification of an event generated at a computing device;
transmitting the notification of the event to an authentication
server; receiving, at the KGM, from the authentication server, a
shared secret provided by a user previously registered for the
event; generating, by the KGM, a one-time key for the event;
appending the shared secret to the one-time key to generate an
appended key; causing the appended key to be transmitted to a
mobile device associated with the user previously registered for
the event; and authenticating the event in response to receiving a
notification from the computing device within a predetermined time
period indicating the one-time key was entered at the computing
device.
2. The method of claim 1, wherein the appended key is transmitted
using at least one of Single Data Message Format (SDMF), Multiple
Data Message Format (MDMF), Unstructured Supplementary Services
Data (USSD), 3G video over voice, interactive voice response (IVR),
placed telephone call and general packet radio service (GPRS).
3. The method of claim 1, wherein the computing device is a point
of sale terminal (POS) and the event is initiated in response to a
credit card being read by the POS.
4. The method of claim 1, wherein transmitting the appended key to
the mobile device comprises invoking automatically a mobile
application on the mobile device to render the appended key.
5. The method of claim 1, wherein the shared secret is at least one
of an image, a sound, a word, a phrase, a video, a number, and an
alphanumeric word.
6. The method of claim 1, wherein the one-time key is at least one
of a symbol, an alphanumeric word, and a number.
7. The method of claim 1, further comprising terminating the event
responsive to receiving a notification from the computing device
indicating that an invalid key was entered at the computing device,
wherein the invalid key is different from the one-time key.
8. The method of claim 7, wherein the invalid key includes a
predefined key sequence known to the user previously registered for
the event.
9. The method of claim 8, further comprising receiving the
predefined key sequence from the mobile device associated with the
user previously registered for the event.
10. The method of claim 7, further comprising locking an account
associated with the user previously registered for the event.
11. A method for authentication of an event, the method comprising:
receiving, at a key generation module (KGM), a notification of an
event generated at a computing device; transmitting the
notification of the event to an authentication server; receiving,
at the KGM, from the authentication server, a shared secret
provided by a user previously registered for the event; generating,
by the KGM, a one-time key for the event; appending the shared
secret to the one-time key to generate an appended key; causing the
appended key to be transmitted to a mobile device associated with
the user previously registered for the event; and responsive to
receiving a notification within a predetermined time period
indicating the one-time key was entered at the computing device,
authenticating the event.
12. The method of claim 11, wherein the appended key is transmitted
using at least one of Single Data Message Format (SDMF), Multiple
Data Message Format (MDMF), Unstructured Supplementary Services
Data (USSD), 3G video over voice, interactive voice response (IVR),
placed telephone call and general packet radio service (GPRS).
13. The method of claim 11, wherein the computing device is a point
of sale terminal (POS) and the event is initiated in response to a
credit card being read by the POS.
14. The method of claim 11, wherein transmitting the appended key
to the mobile device comprises invoking automatically a mobile
application on the mobile device to render the appended key.
15. The method of claim 11, wherein the shared secret is at least
one of an image, a sound, a word, a phrase, a video, a number, and
an alphanumeric word.
16. The method of claim 11, wherein the one-time key is at least
one of a symbol, an alphanumeric word, and a number.
17. The method of claim 11, further comprising terminating the
event responsive to receiving a notification from the computing
device indicating that an invalid key was entered at the computing
device, wherein the invalid key is different from the one-time
key.
18. The method of claim 17, wherein the invalid key includes a
predefined key sequence known to the user previously registered for
the event.
19. The method of claim 18, further comprising receiving the
predefined key sequence from the mobile device associated with the
user previously registered for the event.
20. The method of claim 17, further comprising locking an account
associated with the user previously registered for the event.
Description
CROSS REFERENCE TO RELATED APPLICATIONS
[0001] This application is a continuation of U.S. application Ser.
No. 15/016,205, filed Feb. 4, 2016, to be issued as U.S. Pat. No.
9,699,183, which is a continuation of U.S. application Ser. No.
13/637,998, now U.S. Pat. No. 9,275,379, which is a 371 U.S.
National Stage of International Application No. PCT/IB2011/051382,
filed on Mar. 31, 2011, which claims priority to Indian Patent
Application No. 915/CHE/2010, filed on Mar. 31, 2010, and Indian
Patent Application No. 154/CHE/2010, filed on Apr. 22, 2010, each
of which are incorporated by reference in their entirety.
BACKGROUND
[0002] Embodiments of the present disclosure relate to a mutual
authentication between user and a service provider. More
specifically, embodiments relate to a method of mutual
authentication using secondary verification using out of band
communication.
[0003] In electronic commerce, online transaction wherein a client
logs into his/her bank or financial institutions account via the
web-site offered by the financial institution has always fallen
prey to hackers and phishers who guess login-id and passwords and
perform fraud. The Financial transaction world has tried to avoid
this by making passwords more and more complicated, login-id more
obscure, images recognition, etc. The hackers and the phishers have
always out-smarted them with newer techniques like key logging,
transparent proxy-ing, dynamic DNS re-routing, etc.
[0004] As electronic commerce expands, so does electronic fraud and
identity theft. Because a single factor is sufficient to access a
user account or perform a transaction, fraud and identity theft
only requires a perpetrator to acquire the single factor knowledge.
A consequence of the broad acceptance of single factor
authentication is, therefore, broad and pervasive fraud and
identity theft. Also, for example, a user accessing his financial
account on-line is not sure whether the transaction he as initiate
is with genuine financial institution website or with some hacker
trying to impersonate the financial institution website. Hence
there is a need to address the above mentioned issues.
[0005] In light of forgoing discussion, there is a need for mutual
authentication between user and a service provider to overcome the
limitations stated above.
SUMMARY
[0006] The shortcomings of the prior art are overcome and
additional advantages are provided through the provision of a
method, device and a system as described in the description.
[0007] In one embodiment, the present disclosure provides a method
for mutual authentication of user and a service provider by
authenticating an event by a key generation module (KGM) wherein
said even is generated on a computing device by a user, sending a
shared secret of registered user for the event by an authentication
server to a the KGM, generating one time key by the KGM for the
initiated event, transmitting the one time key by appending the
shared secret to registered user mobile device either as audio or
video. Authenticating the user for said event by the KGM when a
registered user enters the one-time key on the computing device
within a predetermined time period. Alternatively, terminating the
event by the KGM upon receipt of predefined key sequence from the
mobile device.
[0008] In one embodiment, the KGM is a service provider server.
[0009] In one embodiment, the KGM comprises a service provider
server and third party server.
[0010] In one embodiment, the event to be authenticated is
transmitted by the service provider server to the authentication
server through the third party server, said authentication server
provides the shared secret to the third party server.
[0011] In an alternative embodiment, the third party server
generates the one time key.
[0012] In one embodiment the event is terminated by locking the
registered user's account.
[0013] In one embodiment the appended key is transmitted using at
least one of the communication channel including but is not
limiting to Single Data Message Format (SDMF), Unstructured
Supplementary Services Data (USSD), 3G video over voice and
GPRS.
[0014] In one embodiment, the event is initiated by providing a
missed call to the KGM.
[0015] In one embodiment, a mobile application is automatically
invoked upon receipt of an authentication command on the mobile
device to display the appended key.
[0016] In one embodiment, the shared secret includes but is not
limiting to images, sound, word, phrase, numerical numbers and
alphanumeric word.
[0017] In one embodiment, the one-time key includes but is not
limiting to symbol, alphanumeric word, and numerical numbers.
[0018] In one embodiment, the authentication server generates a
digital code and transmits it along with mobile number of the
registered user to the service provider to unlock the registered
user's account upon receipt of unlock request from the registered
user.
[0019] In one embodiment, the present disclosure also provides a
system for authenticating a user, said system comprising: a
computing device to initiate an event to be authenticated, a KGM
configured to generate a one-time key for the initiated event and
appending the generated one-time key with shared secret of a user
registered with a service provider, mobile device to receive the
appended key from the server, wherein the user upon receipt of the
appended key on his mobile device either as audio or video performs
at least one of:
[0020] entering the one-time key on the computing device for
authenticating the user for said event, or
[0021] pressing a predefined key sequence on the mobile device to
lock the user's account to terminate the event, if the event is not
initiated by the user.
[0022] In one embodiment, the server transmits the appended key to
the mobile device using at least one of the communication channel
selected from the group comprising Single Data Message Format
(SDMF), Multiple Data Message Format (MDMF), Unstructured
Supplementary Services Data (USSD), 3G video over voice,
interactive voice response IVR, place telephone call and GPRS.
[0023] In one embodiment the computing device includes but is not
limiting to Automated Teller Machine (ATM), computer, mobile phone,
Personal Digital Assistance (PDA), Point of Sale (POS) terminal,
any device capable of doing e-banking and other related
devices.
[0024] The foregoing summary is illustrative only and is not
intended to be in any way limiting. In addition to the illustrative
aspects, embodiments, and features described above, further
aspects, embodiments, and features will become apparent by
reference to the drawings and the following detailed
description.
BRIEF DESCRIPTION OF THE DRAWINGS
[0025] The novel features and characteristic of the disclosure are
set forth in the appended claims. The disclosure itself, however,
as well as a preferred mode of use, further objectives and
advantages thereof, will best be understood by reference to the
following detailed description of an illustrative embodiment when
read in conjunction with the accompanying figures. One or more
embodiments are now described, by way of example only, with
reference to the accompanying figures wherein like reference
numerals represent like elements and in which:
[0026] FIG. 1 illustrates a block diagram for two way
authentications for an event according to one embodiment of the
disclosure.
[0027] FIG. 2 illustrates a block diagram of one exemplary
embodiment where service provider acts as a key generation
module.
[0028] FIG. 3 illustrates a block diagram of one exemplary
embodiment where a third party server generates a one-time key.
[0029] FIG. 4 is a flow diagram illustrates step by step process
for carrying out two way authentication.
DETAILED DESCRIPTION
[0030] In the following detailed description, reference is made to
the accompanying figures, which form a part hereof. In the figures,
similar symbols typically identify similar components, unless
context dictates otherwise. The illustrative embodiments described
in the detailed description, figures, and claims are not meant to
be limiting. Other embodiments may be utilized, and other changes
may be made, without departing from the spirit or scope of the
subject matter presented herein. It will be readily understood that
the aspects of the present disclosure, as generally described
herein, and illustrated in the figures, can be arranged,
substituted, combined, and designed in a wide variety of different
configurations, all of which are explicitly contemplated and make
part of this disclosure.
[0031] FIG. 1 illustrates an embodiment wherein an event to be
authenticated is generated by user on a computing device 103. For
example, the event could be user swiping a credit card on a point
of sale terminal (POS). Once the event is generated a key
generation module (KGM) 102 generates a one-time key for the event
to be authenticated. This one time key has to be entered by the
user on the POS to complete the transaction. The KGM 102 will check
for the corresponding user details of the credit card in an
authentication server 101. The authentication server 101 stores
details of the credit card and its user who has registered his name
in the authentication server 101. Along with other user details,
the authentication server 101 stores mobile number of the user
mobile device and a secret shared by the registered user. The KGM
102 fetches the shared secret and the mobile number of the
registered user for the credit card. The one time key is then
appended with the shared secret and is sent to the mobile device.
The registered user receives and checks for shared secret. If the
shared secret is same as one which he has already shared with the
authentication server during registration, the registered user is
sure about receiving the one time key form an authorized source and
not from a impersonate party.
[0032] Now, if the user who initiated the event is same as the one
who receives the appended key, then the user enters the one time
key on to the POS to authenticate himself with the KGM. Thus KGM
authenticates the event when it receives the valid one-time key
associated with the event. This will enable the event to be
processed further. Thus by using the shared secret and one time key
mutual authentication is achieved.
[0033] If the user who initiated the event is not the registered
user, then he would not receive the one time key to enter in to
enter on to the POS thus terminating the event by the KGB as it did
not receive the valid one-time key associate with the event within
a predefined time. Also, the registered user who receives the
appended key having shared secret and one time key will have a
choice to terminate the event or to lock his account by pressing a
predetermined key on his mobile device.
[0034] FIG. 2 shows one exemplary embodiment of the disclosure.
User registers a phone number with customers account information
within a financial institution such as a bank. This concept can be
applied to other business/commerce entities as well that would like
to allow its customers to purchase good online and make payment
online via a mobile device. The process creates a non-repudiation
overlay channel wherein the two parties that enter into a
transaction of any type can fallback onto an accepted level of
commitment upon themselves to honor the transaction. The mutual
acceptance of the performance of a transaction is conducted in
real-time before the transaction is completed. If the performance
level is unacceptable to any party then the transaction is
considered as failure and no annoyance or mistrust is created. The
process uses an out-of-band channel of communication for the mutual
authentication to be performed. The out-of-band communication
channel is the mobile/cellular network, which is secure and robust.
The process is not restrictive of having other media of
communication to be incorporated into this out-of-band
communication method, if desired. As an example, let bank be a
service provider who stores all customer's information in an
authentication server. The authentication server also stores a
shared secret between the service provider and the customer.
[0035] User or customer initiates an event with a service provider
by making a financial transaction, for example to transfer money
from his account to other account on a computer. When the user
initiates the event, the service provider 201 will generate a
one-time key for the event. Also, the service provider 201 will
check for the corresponding user details for the transaction in an
authentication server 101. The authentication server 101 will have
the details of users who have registered his name with the
authentication server 101. The user who initiated the event has to
enter the one time key onto the computer to complete the
transaction.
[0036] Along with other user details stored in the authentication
server 101, the server 101 comprises mobile number of the user
mobile device and a secret shared by the registered user. The
service provider 201 fetches the shared secret and the mobile
number of the registered user for the credit card. The one time key
is then appended with the shared secret and is sent to the mobile
device. The registered user receives and checks for shared secret.
If the shared secret is same as one which he has already shared
with the authentication server during registration, the registered
user is sure about receiving the one time key form an authorized
source and not from a impersonate party.
[0037] Now, if the user who initiated the event is same as the one
who receives the appended key, then the user enters the one time
key on to the computing device 103 which is computer in this
example to authenticate himself with the service provider. This
will enable the event to be processed further. Thus by using the
shared secret and one time key mutual authentication is
achieved.
[0038] If the user who initiated the event is not the registered
user, then he would not receive the one time key to enter in to
computing device 103 and thus results in terminating the event. The
event would terminated if the one-time key is not enter on the
computing device 103 within a predefined amount of time, say for
example 15 minutes, or when an invalid/wrong key is entered. Also,
the registered user who receives the appended key having shared
secret and one time key will have a choice to terminate the event
or/and to lock his account. This is achieved by user entering a
predetermined key sequence on his mobile device which will be sent
to the service provider 201.
[0039] FIG. 3 illustrates an alternative embodiment for mutually
authenticating the event. When an event is generated, for example,
online purchase of a commodity using a debit card on a computer,
the service provider authenticates a third party server 301 to
provide mutually authentication for the event. The third party
server 301 then generates one time key for the event. Also, the
third party server 301 will check for the corresponding user
details for the event from the authentication server 101. The
authentication server 101 stores details of the debit card and its
user who has registered his name in the authentication server 101.
The user who initiated the event has to enter the one time key on
to the computer to complete the transaction.
[0040] Along with other user details stored in the authentication
server 101, the server 101 comprises mobile number of the user
mobile device and a secret shared by the registered user. The third
party server 301 fetches the shared secret and the mobile number of
the registered user for the debit card. The one time key is then
appended with the shared secret and is sent to the mobile device.
The registered user receives and checks for shared secret. If the
shared secret is same as one which he has already shared with the
authentication server during registration, the registered user is
sure about receiving the one time key form an authorized source and
not from a impersonate party.
[0041] Now, if the user who initiated the event is same as the one
who receives the appended key, then the user enters the one time
key on to the computer to authenticate himself with the third party
server 301. This will enable the event to be processed further.
Thus by using the shared secret and one time key mutual
authentication is achieved.
[0042] If the user who initiated the event is not the registered
user, then he would not receive the one time key to enter in to
enter on to the computer to complete the transaction thus
terminating the event. The event will be automatically terminated
by the third party server 301 if a valid key is not entered with a
predefined time period. Also, the registered user who receives the
appended key having shared secret and one time key will have a
choice to terminate the event or to lock his account by pressing a
predetermined key on his mobile device. The third party server 301
when received the predetermined key sequence from the mobile device
it would terminate the event and/or lock his account.
[0043] The appended key is transmitted to the mobile device either
as audio or video or using a caller ID mechanism or any other
technically feasible means. The shared secret or credential might
be a sound file, an image, or a PIN. It could also be a unique
string, alphanumeric word, special characters, number sequence or a
video.
[0044] This new process creates a process of registering a phone
number which will be related to the customer's account information
within a financial institution such as a bank. This concept can be
applied to other business/commerce entities as well that would like
to allow its customers to purchase good online and make payment
online. The process creates a non-repudiation overlay channel
wherein the two parties that enter into a transaction of any type
can fallback onto an accepted level of commitment upon themselves
to honor the transaction. The mutual acceptance of the performance
of a transaction is conducted in real-time before the transaction
is completed. If the performance level is unacceptable to any party
then the transaction is considered a failure and no annoyance or
mistrust is created. The process uses an out-of-band channel of
communication for the mutual authentication to be performed. The
out-of-band communication channel is the mobile/cellular network,
which is secure and robust. The process is not restrictive of
having other media of communication to be incorporated into this
out-of-band communication method, if desired.
[0045] FIG. 4 is a flow diagram of method for authorizing a user,
according to one embodiment of the invention. Although the method
steps are described in conjunction with FIG. 1-3, persons skilled
in the art will understand that any system configured to perform
the method steps, in any order, is within the scope of the
invention.
[0046] The method begins in step 401, where an authorization event
is initiated by user. In one embodiment, the authorization request
is initiated when the user attempts to log into a web page,
presenting a user name and password as authorization credentials
for financial transaction. In an alternate embodiment, the user may
present a card or other form of identification device to initiate
an authorization request like using a credit for shopping. In one
embodiment the event could be generated after user login into his
account by providing appropriate credentials for
authentication.
[0047] In step 402 a one-time key is generated for the event by a
KGM. This one time key is then appended with the shared secret of
the user. The append key is then transmitted to registered user
mobile device at step 404. If the registered user has initiated the
event then he would enter the one time key to complete the event
406. If the KGM receives the one time key it would authenticate the
event. The shared secret will confirm the registered user that the
one-time key has not been initiated by any impersonator. If the
registered user has not initiated the event then he would terminate
the event or lock his account or both by pressing predefined
sequence on the mobile device 407. When the KGM receives the
predefined sequence form the mobile device then it would initiate
action to either terminate the event or lock the user account or do
both. Further, if the user who initiated the event would not
receive the one time key which is required to complete the event on
his mobile device. Thus by not entering the one time key the event
is automatically terminated. In one embodiment the event is
terminated by KGM if one time key is not entered to with predefined
time period.
[0048] In one embodiment, a register user generates an event by
providing a missed call or by sending an SMS to the KGM.
[0049] The present disclosure is not to be limited in terms of the
particular embodiments described in this application, which are
intended as illustrations of various aspects. Many modifications
and variations can be made without departing from its spirit and
scope, as will be apparent to those skilled in the art.
Functionally equivalent methods and devices within the scope of the
disclosure, in addition to those enumerated herein, will be
apparent to those skilled in the art from the foregoing
descriptions. Such modifications and variations are intended to
fall within the scope of the appended claims. The present
disclosure is to be limited only by the terms of the appended
claims, along with the full scope of equivalents to which such
claims are entitled. It is also to be understood that the
terminology used herein is for the purpose of describing particular
embodiments only, and is not intended to be limiting.
[0050] With respect to the use of substantially any plural and/or
singular terms herein, those having skill in the art can translate
from the plural to the singular and/or from the singular to the
plural as is appropriate to the context and/or application. The
various singular/plural permutations may be expressly set forth
herein for sake of clarity.
[0051] In addition, where features or aspects of the disclosure are
described in terms of Markush groups, those skilled in the art will
recognize that the disclosure is also thereby described in terms of
any individual member or subgroup of members of the Markush
group.
[0052] While various aspects and embodiments have been disclosed
herein, other aspects and embodiments will be apparent to those
skilled in the art. The various aspects and embodiments disclosed
herein are for purposes of illustration and are not intended to be
limiting, with the true scope and spirit being indicated by the
following claims.
* * * * *