U.S. patent application number 15/796567 was filed with the patent office on 2018-02-22 for authentication system and method for operating an authentication system.
This patent application is currently assigned to Bojan Stopic. The applicant listed for this patent is Bojan Stopic. Invention is credited to Manuel Lautenschlager.
Application Number | 20180054431 15/796567 |
Document ID | / |
Family ID | 46044149 |
Filed Date | 2018-02-22 |
United States Patent
Application |
20180054431 |
Kind Code |
A1 |
Lautenschlager; Manuel |
February 22, 2018 |
AUTHENTICATION SYSTEM AND METHOD FOR OPERATING AN AUTHENTICATION
SYSTEM
Abstract
An authentication system for authenticating a human requester
requesting a service, wherein the authentication system is
configured to establish via a first and a second port of the
authentication system an authentication communication channel
comprising a first communication channel to the requester and a
second communication channel to a human authenticator, such that at
least one of an audio stream of a voice of the requester, a video
stream of a face of the requester and a 3D-data stream of the face
of the requester is transmittable between the end node device of
the requester and the end node device of the authenticator; and to
record a confirmation message of the authenticator, wherein the
confirmation message confirms or rejects at least one of the
claimed identity and the requested service.
Inventors: |
Lautenschlager; Manuel;
(Muenchen, DE) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
Stopic; Bojan |
Muenchen |
|
DE |
|
|
Assignee: |
Stopic; Bojan
Muenchen
DE
|
Family ID: |
46044149 |
Appl. No.: |
15/796567 |
Filed: |
October 27, 2017 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
14745234 |
Jun 19, 2015 |
9832180 |
|
|
15796567 |
|
|
|
|
13854696 |
Apr 1, 2013 |
9094387 |
|
|
14745234 |
|
|
|
|
61617866 |
Mar 30, 2012 |
|
|
|
Current U.S.
Class: |
1/1 |
Current CPC
Class: |
G06F 21/30 20130101;
G07C 2209/04 20130101; G06F 21/32 20130101; G07C 9/37 20200101;
H04L 63/0861 20130101; H04L 63/18 20130101; H04L 63/08 20130101;
H04L 63/105 20130101; G06F 21/313 20130101 |
International
Class: |
H04L 29/06 20060101
H04L029/06; G07C 9/00 20060101 G07C009/00 |
Foreign Application Data
Date |
Code |
Application Number |
Mar 30, 2012 |
EP |
12002325.4 |
Claims
1. An authentication system for authenticating a human requester
requesting a service, the authentication system comprising: a first
port, configured such that a first communication channel is
establishable via an end node device of the requester and a
communication link between the first port and the end node device
of the requester; a second port, configured such that a second
communication channel is establishable via an end node device of a
human authenticator and a communication link between the second
port and the end node device of the authenticator; and a storage
device configured to store a plurality of contact data entries;
wherein the authentication system is configured to record an
identity claimed by the requester and a service requested by the
requester; to select from the plurality of contact data entries a
contact data entry of the end node device of the authenticator; to
establish the second communication channel depending on the
selected contact data entry; to establish via the first and the
second port an authentication communication channel comprising the
first communication channel and the second communication channel
such that at least one of an audio stream of a voice of the
requester, a video stream of a face of the requester and a 3D-data
stream of the face of the requester is transmittable between the
end node device of the requester and the end node device of the
authenticator; and to record a confirmation message of the
authenticator, wherein the confirmation message confirms or rejects
at least one of the claimed identity and the requested service.
2. The authentication system of claim 1, wherein the storage device
is configured to store a plurality of contact data entries of a
plurality of human authenticators, a plurality of identities of
potential human requesters and authorization data; wherein for each
of the plurality of authenticators, the authorization data assign
to the respective authenticator one or more of the identities of
the potential requesters, which the respective authenticator is
authorized to authenticate.
3. The authentication system of claim 1, wherein the selecting of
the contact data entry comprises identifying one or more
authenticators from a plurality of human authenticators, such that
for each of the identified authenticators, there is a personal
relationship between the requester and the respective identified
authenticator.
4. The authentication system of claim 1, wherein the selecting of
the contact data entry comprises identifying one or more
authenticators from a plurality of human authenticators wherein
each of the identified authenticators is authorized to authenticate
the claimed identity.
5. The authentication system of claim 1, wherein the authentication
communication channel is configured such that the authentication
communication channel allows the authenticator to at least one of
listen to a voice of the requester and watch the face of the
requester.
6. The authentication system of claim 1, wherein the authentication
system is configured to establish, in response to the requesting of
the service, the first communication channel to the requester.
7. The authentication system of claim 1, wherein the authentication
system is configured to establish at least one of the first
communication channel and the second communication channel such
that a security level of the authentication communication channel
meets a predefined security criterion.
8. The authentication system of claim 1, wherein the authentication
system is configured to select at least one of a contact data entry
of the end node device of the requester and the contact data entry
of the end node device of the authenticator such that a security
level of the authentication communication channel meets a
predefined security criterion.
9. The authentication system of claim 1, wherein the authentication
system is configured to select the contact data entry of the end
node device of the authenticator depending on the claimed
identity.
10. The authentication system of claim 1, wherein the
authentication system is further configured to establish at least
one further communication channel to at least one further human
authenticator such that at least one of a further audio stream of
the voice of the requester, a further video stream of the face of
the requester and a further 3D-data stream of the face of the
requester is transmittable between the end node device of the
requester and an end node device of the further authenticator.
11. The authentication system of claim 10, wherein the
authentication system is further configured to determine a number
of the at least one further authenticator such that a security
level of the authentication meets a predefined authentication
security criterion.
12. The authentication system of claim 1, wherein the
authentication system is configured to analyze the at least one of
the audio stream, the video stream and the 3D-data stream to
extract characteristics, which correspond to at least one of the
requester, the authenticator and a combination of the requester and
the authenticator.
13. The authentication system of claim 1, wherein the
authentication communication channel is configured such that an
audio stream is transmittable between the end node device of the
requester and the end node device of the authenticator; wherein the
authentication system further comprises a filter, which is
configured to check the audio stream for a two-way conversation
between the requester and the authenticator.
14. The authentication system of claim 1, wherein the
authentication system is configured to assign each of the first
communication channel and the second communication channel to one
of a group of predefined security classes; and to determine a
security level of the authentication communication channel, wherein
the security level of the authentication communication channel
depends on whether or not the security class of the first
communication channel and the security class of the second
communication channel are different.
15. The authentication system of claim 1, wherein the
authentication system is configured to establish the first
communication channel, wherein the establishing of the first
communication channel comprises waiting a first random delay time
before contacting the end node device of the requester; and/or
wherein the establishing of the second communication channel
comprises waiting a second random delay time before contacting the
end node device of the authenticator.
16. The authentication system of claim 1, wherein the
authentication system is configured to establish the first
communication channel depending on the claimed identity, wherein
the establishing of the first communication channel comprises
randomly selecting a contact data entry of the end node device of
the requester from a first subset of the plurality of contact data
entries; and/or wherein the establishing of the second
communication channel comprises randomly selecting a contact data
entry of the end node device of the authenticator from a second
subset of the plurality of contact data entries.
17. The authentication system of claim 1, wherein the
authentication system is configured to randomly select a selection
algorithm from a plurality of selection algorithms, each of which
configured to perform at least one of the selecting of a contact
data entry of the end node device of the authenticator and a
selecting of a contact data entry of the end node device of the
requester.
18. The authentication system of claim 1, wherein the
authentication system is further configured to transmit, in
response to a status change of the authenticating of the requester,
a status update to the requester via the first communication
channel; and to wait a random delay time between the status change
and the transmitting of the status update.
19. A method of authenticating a human requester requesting a
service using an authentication system and a first communication
channel, wherein the first communication channel comprises an end
node device of the requester and a communication link between a
first port of the authentication system and the end node device of
the requester, the method comprising: recording an identity claimed
by the requester and a service requested by the requester;
selecting from a plurality of contact data entries stored on a
storage device of the authentication system a contact data entry of
an end node device of a human authenticator; establishing a second
communication channel via the end node device of the authenticator
and a communication link between a second port of the
authentication system and the end node device of the authenticator
depending on the selected contact data entry; establishing via the
first and the second port an authentication communication channel
comprising the first communication channel and the second
communication channel such that at least one of an audio stream of
a voice of the requester, a video stream of a face of the requester
and a 3D-data stream of the face of the requester is transmittable
between the end node device of the requester and the end node
device of the authenticator; and recording a confirmation message
of the authenticator, wherein the confirmation message confirms or
rejects at least one of the claimed identity and the requested
service.
20. The method according to claim 19, further comprising storing on
a storage device a plurality of contact data entries of a plurality
of human authenticators, a plurality of identities of potential
human requesters and authorization data; wherein the authorization
data assign to each of the plurality of authenticators one or more
of the identities of the potential requesters, which the respective
authenticator is authorized to authenticate.
21. The method of claim 19, wherein the authentication
communication channel is configured such that the authentication
communication channel allows the authenticator to at least one of
listen to a voice of the requester and watch the face of the
requester.
22. The method of claim 19, wherein the selecting of the contact
data entry comprises identifying one or more authenticators from a
plurality of human authenticators, wherein the identified
authenticators are authorized to authenticate the claimed
identity.
23. The method of claim 19, wherein the selecting of the contact
data entry comprises identifying one or more authenticators from a
plurality of human authenticators, wherein for each of the
identified authenticators, there is a personal relationship between
the requester and the respective identified authenticator.
24. The method of claim 19, further comprising establishing the
first communication channel via the end node device of the
requester and the communication link between the first port of the
authentication system and the end node device of the requester.
25. A non-transitory computer-readable storage medium storing
instructions that, when executed by a computer, cause the computer
to perform a method of authenticating a human requester requesting
a service using an authentication system and a first communication
channel, wherein the first communication channel comprises an end
node device of the requester and a communication link between a
first port of the authentication system and the end node device of
the requester, the method comprising: recording an identity claimed
by the requester and a service requested by the requester;
selecting from a plurality of contact data entries stored on a
storage device of the authentication system a contact data entry of
an end node device of a human authenticator; establishing a second
communication channel via the end node device of the authenticator
and a communication link between a second port of the
authentication system and the end node device of the authenticator
depending on the selected contact data entry; establishing via the
first and the second port an authentication communication channel
comprising the first communication channel and the second
communication channel such that at least one of an audio stream of
a voice of the requester, a video stream of a face of the requester
and a 3D-data stream of the face of the requester is transmittable
between the end node device of the requester and the end node
device of the authenticator; and recording a confirmation message
of the authenticator, wherein the confirmation message confirms or
rejects at least one of the claimed identity and the requested
service.
Description
RELATED APPLICATIONS
[0001] This application is a continuation of, and hereby claims
priority to, pending U.S. patent application Ser. No. 14/745,234
entitled "Authentication System and Method for Operating an
Authentication System" by the same inventor as the instant
application, which was filed on 19 Jun. 2015. U.S. patent
application Ser. No. 14/745,234 is a continuation of, and hereby
claims priority to, U.S. patent application Ser. No. 13/854,696
entitled "Authentication System and Method for Operating an
Authentication System" by the same inventors as the instant
application, which was filed on 1 Apr. 2013. U.S. patent
application Ser. No. 13/854,696 is a non-provisional of, and claims
priority to U.S. Provisional Patent Application No. 61/617,866
filed 30 Mar. 2012, entitled "Authentication System and Method for
Operating an Authentication System" by the same inventors as the
instant application. U.S. patent application Ser. No. 13/854,696
also claims priority to European Patent Application No. 12 002
325.4 by the same inventors as the instant application filed on 30
Mar. 2012. All of the above-identified applications are herein
incorporated by reference in their entirety for all purposes.
TECHNICAL FIELD
[0002] This invention relates to an authentication system, for
confirming an identity claimed by a requester, who requests a
service via a communication channel. In particular, the present
invention relates to an authentication system for authenticating a
requester based on an audio and/or video conference between the
requester and an authenticator selected by the authentication
system.
BACKGROUND ART
[0003] Services, such as transactions between bank accounts, are
nowadays mostly initiated via wired or wireless communication
channels, such as telephone networks or the Internet. Access to
such services is typically controlled by authentication procedures.
The most widely applied authentication procedures range from simple
techniques, such as requesting a username and a password, to
technically more advanced procedures, which rely on biometric data,
which are read by a biometric sensor, such as a fingerprint
capturing module.
[0004] Generally speaking, technically complex and cost-intensive
technologies are required to ensure a high level of security.
However, even complex technologies, which are nowadays applied, are
often vulnerable to attacks such as a man-in-the-middle attack. In
such a man-in-the-middle attack, the attacker sets up independent
connections with the service requester and the service provider.
Then, the attacker relays messages between them, making them
believe that they are communicating directly to each other over a
secure connection. Thereby, for example, an attacker may retrieve
biometric data from a requester, which can be used to compromise
the service provider system. Attackers may also use tools, such as
keystroke loggers, sniffers or trojans to manipulate a system to
forward calls. Mobile phones, used by requesters may be spied using
an IMSI-catcher.
[0005] The various services, which are offered by a service
provider, often differ tremendously in the desired security level.
For example, the amount of money, which is transferred by bank
transactions may vary considerable between single transactions.
Therefore, technically complex and cost-intensive solutions are
only implementable for a small number of service requests.
[0006] Hence, there is a need to offer an authentication system,
which is configurable for very high security with minimal
additional costs.
[0007] This problem is solved by the subject-matter of the
independent claims. Further embodiments are subject of the
dependent claims.
SUMMARY
[0008] Embodiments provide an authentication system for
authenticating a requester requesting a service, the authentication
system comprising: a first port, configured such that a first
communication channel is establishable via an end node device of
the requester and a communication link between the first port and
the end node device of the requester; a second port, configured
such that a second communication channel is establishable via an
end node device of an authenticator and a communication link
between the second port and the end node device of the
authenticator; and a storage device configured to store a plurality
of contact data entries; wherein the authentication system is
configured to record an identity claimed by the requester and a
service requested by the requester; to select from the plurality of
contact data entries a contact data entry of the end node device of
the authenticator; to establish the second communication channel
depending on the selected contact data entry; to establish via the
first and the second port an authentication communication channel
comprising the first communication channel and the second
communication channel such that at least one of an audio stream of
a voice of the requester, a video stream of a face of the requester
and a 3D-data stream of the face of the requester is transmittable
between the end node device of the requester and the end node
device of the authenticator; and to record a confirmation message
of the authenticator, wherein the confirmation message confirms or
rejects at least one of the claimed identity and the requested
service.
[0009] Accordingly, an authentication system is provided, which
allows an authenticator to confirm the claimed identity of the
requester or to confirm the requested service by listening to the
voice of the requester and/or by watching a face image of the
requester's face. Thereby, it is possible for the authenticator to
reliably authenticate the claimed identity of the requester. Hence,
a high security level is ensured, making it difficult or even
impossible for attackers to gain illegitimate access to
services.
[0010] Each of the requester and the authenticator are persons. The
requester may request to access the requested service. The
authentication system may be configured to perform authentication
of the requester and to forward the service request to a service
provider, such as a bank employee, or an online bank service
system. The claimed identity and the requested service may be
recorded by the authentication system via the first communication
channel.
[0011] The authentication system may comprise a computer system.
The computer system may comprise a storage device. Executable code
stored on the computer system may provide instructions for
implementing the operation of the authentication system.
[0012] The executable code may comprise an API (application
programming interface). The API may provide a programming interface
for calling procedures from third-party-software and/or internal
usage. Authentication requests may be sent to a
third-party-software that is configured to communicate with the
API. The third-party-software may use the API to trigger the
authentication process performed by the authentication system
and/or to configure the authentication system.
[0013] Recording a claimed identity and/or recording the service
requested by the requester may comprise storing and/or analyzing an
audio stream transmitted from the requester to the authentication
system. The audio stream may be captured with a microphone of an
end node device of the requester. Additionally or alternatively,
data may be stored, which correspond to digits, which have been
clicked by the requester on a keypad of the end node device of the
requester. Recording the identity claimed by the requester, a
service requested by the requester and/or the confirmation message
may comprise storing the claimed identity, the requested service
and/or the confirmation message on the storage device, in
particular a random access storage device of the authentication
system.
[0014] A second communication channel is established to the
authenticator. The second communication channel may be established
depending on a contact data entry selected from a plurality of
contact data entries. The plurality of contact data entries may be
stored on a storage device of the authentication system. In other
words, the contact data entry is used to contact the authenticator.
For example the contact data entry is a phone number and the
authenticator's phone is called.
[0015] The first communication channel may be established by the
requester. The requested service and/or the claimed identity may be
transmitted via the first communication channel. Alternatively, the
authentication system may be configured to establish the first
communication channel after the claimed identity has been recorded.
The authentication system may be configured to select a contact
data entry of the end node device of the requester from the
plurality of contact data entries stored on the storage device of
the authentication system.
[0016] The authentication system may be configured to establish a
first session with the end node device of the requester via the
first communication channel. Furthermore, the authentication system
may be configured to establish a second session with the end node
device of the authenticator via the second communication channel.
Establishing the authentication communication channel may comprise
merging the first session and the second session to an
authentication session. The authentication system may be configured
to split the authentication session after the authenticator and/or
the requester has indicated that the authentication has been
finished.
[0017] The first and/or the second ports may be physical or logical
ports. The authentication communication channel is established via
the first port and the second port. Thereby, the authentication
communication channel comprises the first communication channel,
the second communication channel, the first port and the second
port. Establishing the authentication communication channel may
comprise merging or combining a communication thread of the
requester and a communication thread of the authenticator. The
communication thread of the requester is connected to the first
communication channel, and the communication thread of the
authenticator is connected to the second communication channel. The
authentication system may comprise a conferencing bridge for
establishing the authentication communication channel between the
end node device of the requester and the end node devices of one or
more authenticators.
[0018] At least one of an audio stream of a voice of the requester,
a video stream of a face of the requester and a 3D-data stream of
the face of the requester is transmittable between the end node
device of the requester and the end node device of the
authenticator. In other words, it is possible for the authenticator
to listen to the voice of the requester and/or to view an image of
the face of the requester. Thereby, it is possible for the
authenticator to confirm the requester's claimed identity and/or
the requested service based on the voice and/or based on the face
image.
[0019] The audio stream may be a real-time audio stream; the video
stream may be a real-time video stream; and/or the 3D-data stream
may be a real-time 3D-data stream. The video stream may consist of
a time series of image frames. The 3D-data stream may consist of a
time series of three-dimensional data. The three-dimensional data
may be data defining a hologram or a point cloud. For example, the
point cloud may define the three-dimensional surface of the
requester's face. The authentication communication channel may be
configured such that a real-time conversation is establishable
between the authenticator and the requester. The authentication
communication channel may be configured such that the at least one
of the audio stream, the video stream and the 3D-data stream is
transmittable bidirectionally between the end node device of the
requester and the end node device of the authenticator.
[0020] The confirmation message may be generated with the end node
device of the authenticator. Recording the confirmation message of
the authenticator may comprise storing and/or analyzing an audio
stream transmitted from the authenticator to the authentication
system. The audio stream may be captured with a microphone of an
end node device of the authenticator. Additionally or
alternatively, data may be stored by the authentication system,
wherein the data correspond to digits, which have been clicked by
the authenticator on a keypad of the end node device of the
authenticator. Additionally or alternatively, the authentication
system may receive data, which have been transmitted by the end
node device or an application of the end node device of the
authenticator. For example, the authenticator may select a button
of a graphical user interface displayed by an application running
on the end node device of the authenticator by clicking the button
with a pointer of a mouse. The end node device of the authenticator
may register the clicking of the button and transmit corresponding
data, which represent the confirmation message to the
authentication system. For example, the confirmation message may
contain information that the claimed identity of the requester is
correct or not. Additionally or alternatively, the confirmation
message may contain information that the requested service is
approved or denied.
[0021] The confirmation message may be transmitted via the second
communication channel. Alternatively, the confirmation message may
be transmitted via a communication channel, which is different from
the second communication channel.
[0022] The authentication system may further be configured to
transmit data to the authenticator identifying the requested
service and/or the claimed identity. For example, the
authentication system may transmit audio data to the end node
device of the authenticator, which represent a speech announcing to
the authenticator the claimed identity and/or the requested
service. Additionally or alternatively, the claimed identity and
the requested service may be displayed on the end node device of
the authenticator. Thereby, it is possible for the authenticator to
compare the voice and/or face image of the requester with the
claimed identity. Moreover, it is possible for the authenticator to
discuss with the requester details of the requested service.
[0023] The plurality of contact data entries are stored on a
storage device of the authentication system. The storage device may
comprise one or more read-only memory (ROM) devices or one or more
random access memory (RAM) devices. The contact data entries may be
stored on a storage device, which is connected with a processor of
the authentication system via a communication network. The storage
device may comprise a plurality of sub-storage devices, which are
located at different locations and are connected via a
communication network, such as the Internet. The storage device may
be represented by a cloud storage site.
[0024] Each of the contact data entries may represent a contact to
an authenticator and/or a contact to a requester. Depending on the
contact data entries, the first communication channel to the
requester and/or the second communication channel to the
authenticator of the requester is establishable. A contact data
entry may be for example a phone number or a user address for a
video over IP session. The authentication system may be configured
to select a contact data entry of the end node device of the
authenticator from among contact data entries, which correspond to
persons, who are authorized and/or able to authenticate the claimed
identity. The authentication system may comprise a data base, which
assigns to each of the plurality of contact data entries for
contacting authenticators, one or more identities, wherein the
authenticator, who corresponds to the contact data entry is
authorized and/or able to authenticate the assigned one or more
claimed identities. The data base may be stored on the storage
device.
[0025] Further criteria for selecting the contact data entry of the
end node device of the authenticator may be applied, such as
working experience, position or function within the organization of
the authenticator.
[0026] The plurality of contact data entries may comprise a
plurality of contact data entries, which correspond to a same
authenticator. Additionally or alternatively, the plurality of
contact data entries may comprise a plurality of contact data
entries, which correspond to the requester.
[0027] The authentication system may further be configured to issue
an authentication message depending on the information of the
confirmation message, which has been received from the
authenticator. The authentication message may be forwarded to a
service provider. The authentication message may comprise
information on whether or not the requested service is approved
and/or the claimed identity of the requester is confirmed. The
service provider may be configured to process the requested service
in case the claimed identity and/or the requested service are
confirmed.
[0028] According to a further embodiment, the authentication system
is configured to receive a service request from a requesting end
node device. The requesting end node device may be operated by the
requester. Alternatively, the requesting end node device may be
operated by a person, who is different from the requester and the
authenticator. It is also conceivable that the requested service is
transmitted or triggered from a system. For example an alarm may be
triggered by a sensor sensing a dangerous condition. The requester
may then be a person who is entitled to perform actions to
eliminate the dangerous condition after the requester has been
authenticated by the authenticator.
[0029] The authentication system may be configured to establish in
response to the service request the first communication channel to
the requester. Thereby, for example, the request and the claimed
identity may be recorded via a communication channel, which is
different from the first communication channel of the requester to
which the first communication channel is established. A different
communication channel may be provided by a different communication
link, or a different end node device, and/or a different
application software running on the end node device and which
provides the functionality of the communication channel.
Establishing the first communication channel may comprise selecting
a contact data entry from a plurality of contact data entries of
the requester depending on the claimed identity. The plurality of
contact data entries of the requester may be stored on a storage
device.
[0030] Accordingly, it is possible for the authentication system to
establish the first communication channel such that a security
level of the authentication communication channel meets a required
criterion. Thereby, it is possible to increase the security of the
authentication and confirmation process.
[0031] Establishing the first and/or second communication channel
may comprise selecting a communication protocol and/or an
encryption of the data transport via the respective communication
channel. By way of example, the first communication channel may be
established such that the requesting end node device is different
from the end node device to which the authentication system
connects via the first communication channel. Additionally or
alternatively, the first communication channel may be established
such that a communication protocol via which the service request
and/or the claimed identity is transmitted to the authentication
device is incompatible with a communication protocol of the first
communication channel. Thereby, it is more difficult for an
attacker to gain illegitimate access to services, since this would
require the attacker to connect to two different end node devices
of the requester or to connect to two mutually incompatible
communication channels.
[0032] According to an embodiment, the storage device is configured
to store a plurality of contact data entries of a plurality of
authenticators, a plurality of identities of potential requesters
and authorization data. For each of the plurality of
authenticators, the authorization data may assign to the respective
authenticator one or more of the identities of the potential
requesters. The authorization data may be configured such that the
respective authenticator is able and/or authorized to authenticate
the one or more assigned identities. Additionally or alternatively,
the authorization data may be configured such that there is a
personal relationship between the respective authenticator and each
of the one or more assigned identities. For each of the plurality
of authenticators, the authorization data may define authorization
roles and/or privileges to authenticate the assigned identities.
For each of the plurality of authenticators, the authorization data
may be a predefined authorization to authenticate the assigned
identities.
[0033] According to a further embodiment, the selecting of the
contact data entry comprises identifying one or more authenticators
from a plurality of authenticators, wherein each of the identified
authenticators is able and/or authorized to authenticate the
claimed identity of the requester. Additionally or alternatively,
the one or more authenticators may be identified from the plurality
of authenticators depending on the requested service, depending on
the claimed identity of the requester and/or depending on a
security level of the authentication.
[0034] Identifying the one or more authenticators may comprise
comparing the claimed identity of the requester with the identities
of the potential requesters stored in the storage device.
Identifying the one or more authenticators may comprise determining
those authenticators from the plurality of authenticators, to whom
the claimed identity of the requester is assigned by the
authorization data.
[0035] According to an embodiment, the selecting of the contact
data entry comprises identifying one or more authenticators from a
plurality of authenticators, wherein for each of the identified
authenticators, there is a personal relationship between the
requester who requests the service and the respective identified
authenticator.
[0036] According to a further embodiment, for each of the plurality
of authenticators, the authorization data depend on personal
relationships between the respective authenticator and the
identities of the potential requesters and/or the authorization
data depend on whether or not the respective authenticator is able
and/or authorized to authenticate the identities of the potential
requesters. The authorization data may assign an identity of a
potential requester to an authenticator, when there is a personal
relationship between the potential requester and the authenticator
and/or when the authenticator is authorized and/or able to
authenticate the potential requester.
[0037] According to a further embodiment, the authentication
communication channel is configured such that the authentication
communication channel allows the authenticator to at least one of
listen to a voice of the requester and watch the face of the
requester. The authentication communication channel may be
configured such that the authentication communication channel
allows a two-way conversation between the requester and the
authenticator.
[0038] According to a further embodiment, the authentication system
is configured to establish, in response to the requesting of the
service, the first communication channel to the requester.
[0039] According to a further embodiment, the authentication system
is configured to establish at least one of the first communication
channel and the second communication channel such that a security
level of the authentication communication channel meets a
predefined security criterion.
[0040] Accordingly, it is possible to ensure a sufficiently high
security level for the authentication and confirmation process. The
establishing of the first and second communication channel may
comprise selecting a contact data entry of the end node device of
the requester and a contact data entry of the end node device of
the authenticator from the plurality of contact data entries.
[0041] The security level of the authentication communication
channel may be defined such that it is a measure for the security
of the data transport through the authentication communication
channel. Accordingly, the security level of the first and/or second
communication channel may be defined such that it is a measure for
the security of the data transport through the respective first and
second communication channel.
[0042] The predefined security criterion may be a threshold value
for the security level of the authentication communication channel.
Additionally or alternatively, the security criterion may require
that the security level of the authentication communication channel
has to assume a maximum.
[0043] The security level of the authentication communication
channel may be determined depending on at least one of the
following: a communication protocol of the first and/or second
communication channel, a type of the communication link, which
forms part of the first communication channel, a type of the
communication link, which forms part of the second communication
channel, a type of the end node device of the requester and/or
authenticator, an operating system of the end node device of the
requester and/or authenticator, a location of the end node device
of the requester and/or the end node device of the authenticator,
whether or not the authentication system has waited a random delay
time before contacting the end node device of the requester and/or
the end node device of the authenticator, and an application
running on the end node device of the requester and/or an
application running on an end node device of the authenticator. The
application may be an application, which is involved in managing
data transmission via the authentication communication channel.
[0044] A type of the end node device may be one of a plurality of
predefined types of end node devices. For example, the plurality of
types of end node devices may be defined by grouping the end node
devices into mobile telephones, wired telephones and computer
devices. A type of the communication link may be one of a plurality
of predefined types of communication links. By way of example, the
predefined types of communication links may be defined by grouping
the communication links into mobile phone communication links,
wired telephone communication links and Internet communication
links.
[0045] Furthermore, the security level of the authentication
communication channel may depend on whether or not the
authentication system waits a random delay time before establishing
the first communication channel and the second communication
channel. The security level of the authentication communication
channel may depend on the random time range based on which the
random delay time is determined.
[0046] The security level of the authentication communication
channel may depend on the degree of complexity which is required
for attacking the authentication communication channel. For
example, the security level of the authentication communication
channel may be high in case a communication protocol of the first
communication channel is incompatible with a communication protocol
of the second communication channel. Thereby, the security level of
the authentication communication channel may depend on the
communication protocol of the first communication channel and the
communication protocol of the second communication channel.
Additionally or alternatively, the security level of the
authentication communication channel may depend on an encryption of
the first communication channel and an encryption of the second
communication channel. By way of example, the security level of the
authentication communication channel may be high in case the
encryption of the first communication channel is incompatible with
an encryption of the second communication channel.
[0047] According to a further embodiment, the authentication system
is configured to select at least one of a contact data entry of the
end node device of the requester and the contact data entry of the
end node device of the authenticator such that a security level of
the authentication communication channel meets a predefined
security criterion.
[0048] Accordingly, it is possible to ensure a sufficiently high
security level for the authentication or confirmation process. The
contact data entry of the end node device of the requester may be
selected from the plurality of contact data entries stored on the
storage device. By way of example, the contact data entry of the
end node device of the requester and/or the contact data entry of
the end node device of the authenticator may be chosen such that
the communication protocol of the first communication channel and
the communication protocol of the second communication channel are
mutually incompatible. Thereby, it is more difficult for the
attacker to gain access to the first communication channel and the
second communication channel. Additionally or alternatively, the
contact data entry of the end node device of the requester and/or
the contact data entry of the end node device of the authenticator
are selected such that a type of the end node device of the
requester is different from a type of the end node device of the
authenticator. According to a further embodiment, the
authentication system is configured to implement a data transport
on the first communication channel and/or a data transport on the
second communication channel such that the security level of the
authentication communication channel meets the predefined security
criterion. Implementing the data transport may comprise selecting
an encryption and/or a communication protocol for the data
transport via the respective communication channel.
[0049] According to a further embodiment, the authentication system
is configured to select the contact data entry of the end node
device of the authenticator depending on the claimed identity.
Selecting the contact data entry of the end node device of the
authenticator depending on the claimed identity may comprise
identifying one or more authenticators, who are able and/or
authorized to authenticate the claimed identity.
[0050] The storage device may be configured to store a plurality of
identities. Each of the plurality of identities may correspond to a
potential requester. By way of example, an identity is a name of a
person. The storage device may further be configured to store
authorization data. The authorization data may assign to each of
the authenticators, one or more of the identities. The respective
authenticator may be able and/or authorized to authenticate the
assigned identities via the authentication communication channel.
The authorization data may comprise permissions, settings and/or
statistics. The authorization data may depend on a personal
relationship between the authenticator and the person, which is
represented by the identity.
[0051] The authentication system may be configured to compare the
claimed identity of the requester with the identities stored on the
storage device and to identify those authenticators, which are able
and/or authorized to authenticate the claimed identity. An
authenticator may be able and/or authorized to authenticate a
person, when there is a personal relationship between the
authenticator and the person. Thereby, it is ensured that the
authenticator can reliably authenticate the requester via the
authentication communication channel.
[0052] The authentication system may comprise a data base, which is
stored on the storage device, wherein the plurality of contact data
entries of the authenticators, the plurality of identities and the
authorization data are stored in the data base. Additionally, the
contact data of the requesters may be stored in the data base.
[0053] According to a further embodiment, the authentication system
is configured to establish at least one further communication
channel to at least one further authenticator such that at least
one of a further audio stream of the voice of the requester, a
further video stream of the face of the requester, and a further
3D-data stream of the face of the requester is transmittable
between the end node device of the requester and an end node device
of the further authenticator.
[0054] The further communication channel may be established via the
end node device of the further authenticator and a communication
link between the authentication system and the end node device of
the further authenticator. The authentication system may comprise
an audio and/or video conferencing server. In particular, the
authentication system may be configured to receive audio and/or
video streams from the requester and/or the authenticator, and to
select, which audio streams and/or video streams are transmitted to
the requester and to the one or more authenticators.
[0055] The authentication system may be configured to establish an
authentication communication channel between the requester, the
authenticator and the one or more further authenticators.
Alternatively, the authentication system may be configured to
establish a further authentication communication channel at a later
point in time between the requester and one or more of the further
authenticators. Thereby, the further authenticator may confirm the
claimed identity and/or the requested service. It is also
conceivable that the authenticator confirms the claimed identity
and the further authenticator confirms the requested service.
[0056] Alternatively, the second authentication communication
channel may be established between the authenticator and the
further authenticator. Thereby, the further authenticator may
confirm the identity of the authenticator.
[0057] According to a further embodiment, the authentication system
is configured to determine a number of the at least one further
authenticator such that a security level of the authentication
meets a predefined authentication security criterion.
[0058] The security level of the authentication may be defined as a
measure for a burden for an attacker to gain illegitimate access to
the service. By way of example, in case the requested service
requires a high security level, the authentication system may set
the number of the at least one further authenticator to three. On
the other hand, in case the requested service requires a low
security level, the authentication system may set the number of the
at least one further authenticator to zero.
[0059] The predefined authentication security criterion may be a
threshold value for the security level of the authentication
process. Additionally or alternatively, the authentication security
criterion may require that the security level of the authentication
process has to assume a maximum.
[0060] According to a further embodiment, the authentication system
is configured to analyze the at least one of the audio stream, the
video stream and the 3D-data stream to extract characteristics,
which correspond to at least one of the requester, the
authenticator and a combination of the requester and the
authenticator.
[0061] The authentication system may be configured to apply a voice
recognition algorithm to the audio stream transmitted between the
end node device of the requester and the end node device of the
authenticator. Additionally or alternatively, the authentication
system may be configured to apply a face recognition algorithm to
the video stream and/or the 3D-data stream transmitted between the
end node device of the authenticator and the end node device of the
requester. The authentication system may be configured as an
artificial intelligence system, which performs the voice and/or
face recognition. The authentication system may further apply a
checksum algorithm to check, whether the voice of the requester and
the voice of the authenticator are simulated by a same
recording.
[0062] The voice recognition algorithm may be configured to extract
voice patterns, such as the height of the voice, a dialect, or
words, which are spoken. Furthermore, a conversation recognition
algorithm may be applied to the audio stream and/or video stream to
identify characteristics of the conversation between the requester
and the authenticator, such as words spoken, lengths of statements
and times between successive statements. The authentication system
may be configured to determine, whether a two-way conversation
takes place between the authenticator and the requester. A two-way
conversation may be defined as a communication between two parties,
which comprises statements from each of the party. By way of
example, the voice recognition algorithm may be configured to
determine, whether the audio stream represents voices of two
different persons. Since the first communication channel and the
second communication channel are connected to different ports of
the authentication system, it is possible to determine, whether a
voice and/or audio stream is transmitted from the end node device
of the requester.
[0063] According to a further embodiment, the authentication
communication channel is configured such that an audio stream is
transmittable between the end node device of the authenticator and
the end node device of the requester; wherein the authentication
system further comprises a filter, which is configured to check the
audio stream for a two-way conversation between the requester and
the authenticator.
[0064] Accordingly, it is possible to check, whether the
authenticator confirms the claimed identity of the requester after
an actual conversation between the requester and the authenticator
has taken place. Thereby, the security level ensured by the
authentication is further increased.
[0065] According to a further embodiment, the authentication system
is configured to assign each of the first communication channel and
the second communication channel to one of a group of predefined
security classes; and to determine a security level of the
authentication communication channel, wherein the security level of
the authentication communication channel depends on whether or not
the security class of the first communication channel and the
security class of the second communication channel are
different.
[0066] Accordingly, it is possible to increase a security level of
the authentication by providing an authentication communication
channel, which combines different technologies.
[0067] The group of security classes may be predefined. Each
security class may be defined depending on the communication
channel and/or a data transport via the communication channel. The
data transport may comprise a communication protocol of the
communication channel and/or an encryption for communicating via
the communication channel. The communication channel may comprise a
communication link, an end node device, an operating system of the
end node device and an application running on the end node device,
wherein the application is involved in the data transport via the
communication channel.
[0068] Each security class may correspond to a different type of
communication protocol, a different type of end node device, a
different type of application running on the end node device and/or
a different type of communication link. The types may be
predefined. By way of example, types of end node devices are mobile
phones, wired phones and computers. Furthermore, by way of example,
types of communication links are wired phone networks, mobile phone
networks and the Internet.
[0069] The first communication channel is assigned to a security
class of the group of security classes, wherein the class of the
first communication channel corresponds to a first communication
protocol. Accordingly, the second communication channel is assigned
to a security class of the group of security classes. In case the
security class of the first communication channel is different from
the security class of the second communication channel, the
security level is higher than in case the security class of the
first communication channel is identical to the security class of
the second communication channel. Thereby the security level of the
authentication communication channel depends on whether or not the
security class of the first communication channel is identical to
the security class of the second communication channel.
[0070] According to a further embodiment, the authentication system
is configured to assign each of the first communication channel and
the second communication channel to one of a group of predefined
security classes, wherein the security level of the authentication
communication channel depends on a combination of the security
class of the first communication channel and the security class of
the second communication.
[0071] For example, the security level of the authentication
communication channel depends on how much the security class of the
first communication channel is incompatible with the class of the
second communication channel. Thereby, the combination of the
security class of the first communication channel and the security
class of the second communication channel represents a degree of
incompatibility.
[0072] According to a further embodiment, the authentication system
is configured to establish the first communication channel, wherein
the establishing of the first communication channel comprises
waiting a first random delay time before contacting the end node
device of the requester; and/or wherein the establishing of the
second communication channel comprises waiting a second random
delay time before contacting the end node device of the
authenticator. The first random delay time and/or the second random
delay time may be after the recording of the claimed identity and
the requested service and before the establishing of the respective
first and second communication channel.
[0073] Accordingly, it is possible to ensure a high security level
for the authentication communication channel, since it is not
possible for the attacker to predict the time when the first and
the second communication channel are established.
[0074] The first random delay time and/or the second random delay
time may be defined as a time, which depends on a random number.
The random number may be generated by the authentication system.
The first random delay time and the second random delay time may
depend on the same random number. Alternatively, the first random
delay time and the second random delay time may depend on different
random numbers. The first and/or second random number may be
generated based on a random number range. An increased random
number range may lead to an increased security level of the
authentication communication channel.
[0075] According to a further embodiment, the authentication system
is configured to establish the first communication channel
depending on the claimed identity, wherein the establishing of the
first communication channel comprises randomly selecting the
contact data entry of the end node device of the requester from a
first subset of the plurality of contact data entries; and/or
wherein the establishing of the second communication channel
comprises randomly selecting a contact data entry of the end node
device of the authenticator from a second subset of the plurality
of contact data entries. The first subset may comprise contact data
entries of requesters and the second subset may comprise contact
data entries of authenticators.
[0076] In other words, the contact data entry of the end node
device of the authenticator and/or the end node device of the
requester is selected by applying a random algorithm to a
respective subset of the contact data entries, which are stored in
the storage device. Accordingly, it is possible to avert attacks
more efficiently. In particular, in case of a man-in-the-middle
attack, it is not possible for the attacker to predict, which
person will serve as the authenticator for authenticating the
service.
[0077] The authentication system may further be configured to
determine the first and/or second subsets of contact data entries
from the plurality of contact data entries. By way of example, the
second subset may comprise contact data values, of authenticators
which personally know the requester and/or which are able and/or
authorized to authenticate the requester. Furthermore, the first
subset may comprise those contact data entries from the plurality
of contact data entries, which correspond to the claimed identity.
For example, the first subset comprises a landline telephone
number, a mobile telephone number and a user address for a voice
over IP or video over IP session, each of which corresponding to
the claimed identity.
[0078] According to a further embodiment, the authentication system
is configured to randomly select a selection algorithm from a
plurality of selection algorithms, each of which configured to
perform at least one of the selecting of a contact data entry of
the end node device of the authenticator and a selecting of a
contact data entry of the end node device of the requester.
[0079] According to a further embodiment, the authentication system
is further configured to transmit a message to at least one of an
end node device of a further person and a further system informing
the at least one of the further person and the further system of
the requested service.
[0080] Accordingly, it is possible to enable the further persons or
the further systems to send messages to the authentication system
to object to the service request. The authentication system may be
configured to wait a predetermined or predeterminable time for
receiving confirmation or objection messages from the at least one
of the further person and the further system.
[0081] According to a further embodiment, the authentication system
is configured to determine a forwarding delay time such that a
security level of the authentication meets a predefined
authentication security criterion; and to forward the requested
service after the forwarding delay time has passed from the
receiving of the confirmation message.
[0082] Accordingly, since there is a forwarding delay between the
receiving of the confirmation message and the forwarding of the
requested service, it is possible for the authenticator to withdraw
his confirmation at a later time, even when he initially has
confirmed the claimed identity or the requested service. The
authentication system may be configured to increase the forwarding
delay time with an increased desired security level. The forwarding
delay time may depend on a randomly generated number. The action
delay time may depend on further factors, which may limit the
duration of the forwarding delay time, such as urgency of action or
priority.
[0083] Embodiments provide a method of authenticating a requester
requesting a service using an authentication system; the method
comprising: establishing a first communication channel via an end
node device of the requester and a communication link between a
first port of the authentication system and the end node device of
the requester; recording an identity claimed by the requester and a
service requested by the requester; selecting from a plurality of
contact data entries stored on a storage device of the
authentication system a contact data entry of an end node device of
an authenticator; establishing a second communication channel via
the end node device of the authenticator and a communication link
between a second port of the authentication system and the end node
device of the authenticator depending on the selected contact data
entry; establishing via the first and the second port an
authentication communication channel comprising the first
communication channel and the second communication channel such
that at least one of an audio stream of a voice of the requester, a
video stream of a face of the requester and a 3D-data stream of the
face of the requester is transmittable between the end node device
of the requester and the end node device of the authenticator; and
recording a confirmation message of the authenticator, wherein the
confirmation message confirms or rejects at least one of the
claimed identity and the requested service.
[0084] According to a further embodiment, the method comprises
storing on a storage device a plurality of contact data entries of
a plurality of authenticators, a plurality of identities of
potential requesters and authorization data. The authorization data
may assign to each of the plurality of authenticators one or more
of the identities, which the respective authenticator is able
and/or authorized to authenticate. Additionally or alternatively,
the authorization data may assign to each of the plurality of
authenticators one or more identities, wherein there is a personal
relationship between the respective authenticator and each of the
one or more assigned identities.
[0085] According to a further embodiment, the method comprises
establishing the first communication channel via the end node
device of the requester and the communication link between the
first port of the authentication system and the end node device of
the requester.
[0086] According to a further embodiment, the establishing of the
first communication channel is performed by the authentication
system in response to the requesting of the service.
[0087] According to a further embodiment, the establishing of the
first communication channel and the establishing of the second
communication channel are performed such that a security level of
the authentication communication channel meets a predefined
security criterion.
[0088] Embodiments provide a machine-readable medium or a computer
program product. The machine readable medium or the computer
program product may have stored thereon a program code, which, when
loaded and executed in a computer system or a processor, is adapted
to perform the method according any one of the previously described
embodiments.
BRIEF DESCRIPTION OF THE DRAWINGS
[0089] The foregoing as well as other advantageous features are
more apparent from the following detailed description of exemplary
embodiments with reference to the accompanying drawings. It is
noted that not all possible embodiments necessarily exhibit each
and every, or any, of the advantages identified herein.
[0090] FIG. 1 is a schematic illustration of an authentication
system according to an exemplary embodiment;
[0091] FIG. 2 is a flow-chart illustrating the operation of the
authentication system, which shown in FIG. 1;
[0092] FIG. 3 is a flow chart illustrating an exemplary manner of
determining the contact data entries of the authenticators for
authenticating the requester; and
[0093] FIG. 4 is a schematic illustration of how an authentication
security level is determined based on predefined security
classes.
DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS
[0094] FIG. 1 is a schematic illustration of an authentication
system 1 and the various communication channels, which are managed
by the authentication system 1 according to an exemplary
embodiment. The authentication system 1 is installed in a bank
service center 40.
[0095] A requester, who wishes to access a service offered by the
bank service center 40, calls the bank service center 40 with a
requesting end node device, such as a mobile telephone. The
requested service may be, for example, a bank transaction. The call
is routed through a local area network 13 of the bank service
center 40 to the authentication system 1, which performs an
authentication of the requester. After the requester is
authenticated, the service request is forwarded to a bank service
provider system (not shown in FIG. 1) of the bank service center
40.
[0096] When the requester is connected to the authentication system
1, the authentication system 1 records a service request and an
identity claimed by the requester. Then, the authentication system
1 establishes a first communication channel between a first port
(not shown in FIG. 1) of the authentication system 1 and an end
node device 20 of the requester. Also, the authentication system 1
establishes a second communication channel between a second port
(not shown in FIG. 1) of the authentication system 1 and an end
node device 30 of an authenticator. A portion of the first
communication channel is established within a wireless telephone
network 25, within the public switched telephone network 40, and
within the local area network 13 of the service center 40. A
portion of the second communication channel is established within
the Internet 38.
[0097] Alternatively, the first communication channel may be
established when the requester calls the bank service center 40 to
gain access to the service. Then, via the first communication
channel, the requester may transmit the claimed identity and the
service request to the authentication system 1.
[0098] The authentication system 1 then combines or merges the
first communication channel and the second communication channel
such that an authentication communication channel is established
between the end node device 20 of the requester and the end node
device 30 of the authenticator. The authentication communication
channel comprises the first communication channel and the second
communication channel, the first and the second port. The
authentication communication channel is configured such that at
least one of an audio stream of a voice of the requester, a video
stream of a face of the requester and a 3D-data stream of the face
of the requester is transmittable between the end node device of
the requester 20 and the end node device of the authenticator 30.
Thereby, the authenticator can communicate with the requester and
at the same time can see the face of the requester displayed on the
display 32 of the end node device 30 of the authenticator. This
allows the authenticator to authenticate the requester by listening
to the voice of the requester and/or by watching the requester's
face image. The authenticator may be selected by the authentication
system 1 such that the authenticator is a person, who is part of
the requester's life and/or such that the authenticator is able
and/or authorized to authenticate the requester. Thereby, by
talking to the requester and/or watching the face of the requester,
it is possible for the authenticator to authenticate the requester.
Thereby, the security level of the authentication is not limited by
deficiencies of biometric sensors.
[0099] The authentication system 1 then requests the authenticator
to transmit a confirmation message to the authentication system 1.
The authenticator confirms or rejects the identity of the requester
by using a keyboard 33 or a computer mouse 34 of the end node
device 30 of the authenticator, or by giving a voice command, which
is recorded by the microphone 39 of the end node device 30. The
confirmation message confirms or rejects the claimed identity
and/or the requested service. The confirmation message is recorded
by the authentication system 1, for example by storing information
contained in the confirmation message on a storage device 11 of a
computer system 10 of the authentication system 1.
[0100] The authentication system 1 comprises a storage device 11,
on which a plurality of contact data entries are stored. A contact
data entry may for example be a telephone number or a user address
for a voice over IP session or a video over IP session. The
authentication system 1 selects contact data entries from the
plurality of stored contact data entries for establishing the first
communication channel and/or the second communication channel. For
example, the authentication system may select the contact data
entry of the end node device of the requester by selecting a
contact data entry from those contact data entries, which
correspond to a person having the claimed identity. Furthermore,
the contact data entry of the end node device of the authenticator
may be selected from the contact data entries, which correspond to
authenticators who personally know the person having the claimed
identity.
[0101] The end node device 30 of the authenticator comprises a
digital video camera 31, a microphone 39, a display 32 and a
speaker 35. This allows to establish a video over IP session
between the authentication system 1 and the end node device 30 of
the authenticator. Also, the end node device 20 of the requester
comprises a digital video camera 21, which is configured to capture
a real-time video image of the face of the requester. The mobile
telephone 20 further comprises a display 22, a microphone 23 and a
speaker 26. Thereby, it is possible for the authentication system 1
to establish a video call or a video conference between the end
node device 20 of the requester and the end node device 30 of the
authenticator.
[0102] The end node device 30 of the authenticator is not limited
to the computer system, as shown in FIG. 1, but may be any end node
device, which is suitable for receiving audio and/or video streams
forwarded from the authentication system 1 and to acquire audio
data and/or video image data for transmitting corresponding audio
and/or video streams to the authentication system 1.
[0103] The authentication system 1 is configured to determine a
security level of the authentication communication channel before
the first and the second communication channel are established.
Thereby, it is possible for the authentication system 1 to
determine, whether the security level of the authentication
communication channel meets a security criterion. By way of
example, the authentication system 1 may determine, whether the
security level of the authentication communication channel exceeds
a predetermined threshold value.
[0104] The security level of the authentication communication
channel may depend on the degree of complexity, which is required
to launch a successful attack.
[0105] Depending on the security criterion, the authentication
system 1 may establish a further communication channel to an end
node device 50 of a further authenticator. In the example, shown in
FIG. 1, the end node device 50 of the further authenticator is a
wired telephone device. A portion of the further communication
channel is established within a public switched telephone network
40. The further communication channel is connected to a third port
of the authentication system 1. The authentication system 1 is
configured such that a communication channel is establishable
between the first port and the third port. Thereby, it is possible
for the further authenticator to authenticate the requester based
on an audio telephone communication between the requester and the
further authenticator. Additionally or alternatively, the further
authenticator may authenticate the first authenticator who uses the
end node device 30 of the first authenticator, after a
communication channel is established by the authentication system 1
between the second and the third port. Additionally or
alternatively, the first authenticator may confirm the claimed
identity of the requester and the second authenticator may confirm
the requested service.
[0106] The end node device 50 of the further authenticator is not
limited to the wired telephone device, as shown in FIG. 1, but may
be any end node device, which is suitable to receive audio and/or
video streams forwarded from the authentication system 1, to
acquire audio data and/or video image data for transmitting
corresponding audio and/or video streams to the authentication
system 1.
[0107] The authentication system 1 may be configured to establish
communication channels to a number of end node devices of
authenticators. A higher number of authenticators increases the
authentication security level.
[0108] The authentication system 1 may comprise a conference bridge
(not shown in FIG. 1), which is configured to establish the
required communication channels between the various ports of the
authentication system 1. It is also conceivable that the
authentication system comprises a plurality of conference bridges,
which are connected to form a cluster. Thereby, is it possible to
balance the load generated by a plurality of authenticators.
[0109] It is also conceivable that e authentication system 1 deals
with services different from bank services. By way of example, the
authentication system 1 may be configured to handle alarms, which
are triggered by persons or sensors, which detect a dangerous
condition. The alarm message is transmitted to the authentication
system 1. The authentication system 1 contacts a person (requester
in the example above), who is entitled to determine which action is
to be taken to eliminate the dangerous condition after having been
authenticated by an authenticator.
[0110] FIG. 2 is a flow chart illustrating an exemplary
authentication process, which is performed by the authentication
system 1, as shown in FIG. 1. After the requester has established a
connection to the authentication system, the authentication system
records 100 an identity claimed by the requester and a service
requested by the requester. The authentication system selects a
first subset of a plurality of contact data entries, wherein each
contact data entry of the first subset corresponds to the claimed
identity. The authentication system selects a first contact data
entry from the first subset to contact the requester by
establishing 120 a first communication channel.
[0111] The authentication system further selects a second subset
from the plurality of contact data entries. Each contact data entry
of the second subset corresponds to one of a group of
authenticators, who personally know the requester. Additionally or
alternatively, the second subset may comprise a plurality of
contact data entries, which correspond to a same authenticator, but
which represent communication channels which are at least partially
located in different networks or which represent communication
channels to physically different end node devices.
[0112] Then, the authentication system selects 110 a second contact
data entry from the second subset. The authentication system is
configured to select the first contact data entry and the second
contact data entry such that the security level of the
authentication communication channel, which will be established
depending on the selected first and second contact data entry,
meets a predefined security criterion.
[0113] Depending on the predefined security criterion, a number of
contact data entries of authenticators, which will be contacted in
order to authenticate the requester are selected. In the example
shown in FIG. 2, the number of authenticators is two, however, it
may also be one or any other number. Alternatively, the number may
be a fixed number for all services provided by the service
center.
[0114] Then, a second communication channel to a first
authenticator is established 130 between a second port of the
authentication system and an end node device of the first
authenticator. Via the second communication channel, the first
authenticator may authenticate his identity, for example by
providing a password or by an authentication token, which is read
by the end node device of the authenticator. Then, the
authentication system establishes 140 an authentication
communication channel via the first and the second port. This
allows the first authenticator to communicate with the requester
via audio and/or video. Then, a message is transmitted from the end
node device of the first authenticator to the authentication
system, as to whether or not the first authenticator confirms the
claimed identity of the requester. The confirmation message is
received 150 and stored by the authentication system.
[0115] Simultaneously or successively to the establishing 120, 130
of the first and/or second communication channel, the establishing
140 of the communication channel between the first and the second
port and the receiving 150 of the confirmation message, the
corresponding procedure for the authentication by the second
authenticator may be performed. This corresponding procedure
comprises an establishing 170 of a third communication channel
between a third port of the authentication system and an end node
device of the second authenticator, an establishing 180 of a
communication channel between the first port and the third port,
whereby the requester can communicate with the second authenticator
via audio and/or video, and a receiving 190 of a confirmation
message of the second authenticator.
[0116] The authentication system may further be configured such
that in case any one of the first and the second authentication
channel is establishable (e.g. since the respective authenticator
is not available), the authentication system selects further
contact data entries from the plurality of contact data entries for
contacting one or more further authenticators.
[0117] The authentication system may further be configured to send
status updates to the requester informing him about the status of
the authentication. The status updates may be sent after a random
delay time has passed from the point of time of the corresponding
status changes. Thereby, it is more difficult for a possible
attacker to predict the point of time, when the communication
channel to the one or more authenticators are established.
[0118] The authentication system may be configured to analyze the
audio and/or video streams transmitted between the end node device
of the requester and the end node device of the authenticator. For
example, the authentication system may be configured to determine,
whether there is a mutual communication between the requester and
the authenticator. The authentication system may analyze the audio
streams to check whether the communication comprises verbal
statements of both the authenticator and the requester.
Furthermore, the authentication system may be configured to analyze
the reaction times between successive verbal statements to
determine, whether the transmitted audio streams represent a
real-time communication rather than played recordings. The analysis
of the audio and/or video streams may be performed in real-time.
Additionally or alternatively, the audio and/or video streams may
be recorded and the analysis is performed at a later point in time.
The analysis may also comprise analyzing the video streams, to
detect voice manipulation filters.
[0119] The authentication system may further be configured to
present to the requester information about the service requested.
For example, the authenticator may see on the display 32 (shown in
FIG. 1) the transaction amount and the recipient of the bank
transaction.
[0120] The authenticator may inform the authentication system that
the authenticator does not personally know the requester. Then, the
authentication system will select a further contact data entry from
the subset of contact data entries for contacting a further
authenticator.
[0121] When each of the confirmation messages of the first and the
second authenticators are positive, the service request is
forwarded 160 to the service provider system.
[0122] The authentication system may further be configured such
that before the service request is forwarded 160 to the service
provider system, messages to further persons are transmitted,
wherein each of the messages contains information about the service
request. The information contained in the messages may depend on
the desired security level. The authentication system may be
configured such that the messages do not have to be confirmed for
forwarding the message to the service provider. The authentication
system may be configured to reject the service request, in case a
message from any one of the persons is received, which contains a
disapproval of the service request. The authentication system may
be configured to wait a delay time within which a disapproval from
the further persons can be received. The delay time may depend on
the desired security level.
[0123] FIG. 3 is a flow chart illustrating an algorithm for
selecting 120 the contact data entries of the one or more
authenticators from the subset of contact data entries. The
algorithm shown in FIG. 3 may be performed by the authentication
system 1 (shown in FIG. 1). The algorithm, shown in FIG. 3 is
started after the determining 110 (shown in FIG. 2) of the subset
of contact data entries of the authenticators and before the
establishing 130, 170 (shown in FIG. 2) of the one or more
communication channels to the authenticators.
[0124] The authentication system determines 210 a desired security
level for the authentication process. The desired security level
may be determined depending on the requested service and/or the
claimed identity of the requester.
[0125] By way of example, the desired security level ds may be
determined according to the following equation
ds=ussi,
[0126] wherein us denotes a user security level and si denotes a
service importance. It is also conceivable that the desired
security level depends on additional factors.
[0127] The user security level us may be determined depending on
the claimed identity. For example, the authentication system may
perform an initial authentication of the requester. The initial
authentication may be based on voice recognition techniques, face
recognition techniques or other biometric recognition techniques.
The user security level us may then be determined depending on the
degree of uncertainty involved in this initial authentication.
Additionally or alternatively, potential requesters may be grouped
into groups of different user security levels. By way of example, a
high user security level us may be assigned to service requests,
when the claimed identity corresponds to a client, who wants to
have a high security level for all its transactions.
[0128] The service importance si may depend on the potential
damage, which may be caused by a successful attack. By way of
example, a small transaction amount of a bank transaction may
result in a comparatively low service importance si. By way of
example, both the user security level us and the service importance
si are positive values of between 0 and 10.
[0129] Depending on the determined desired security level ds, one
or more contact data entries of one or more authenticators are
determined. A high desired security level ds may result in
selecting contact data entries, which correspond to a communication
channel having a high communication channel security level and/or
may result in a high number of different authenticators.
[0130] In the exemplary method illustrated in FIG. 3, a first
contact data entry is selected 220 from the subset of contact data
entries. The first contact data entry may be selected depending on
the desired security level ds. For example, in case the desired
security level ds has a high value, a contact data entry may be
selected, which corresponds a high communication channel security
level of the corresponding authenticator.
[0131] Then, a security level of the authentication communication
channel is determined 230 based on the selected first contact data
entry. In case the security level of the authentication
communication channel is equal to or greater than the desired
security level (YES in 240), the method proceeds with establishing
(130 in FIG. 2) a communication channel to the authenticator of the
selected contact data entry. In case the security level of the
authentication communication channel is smaller than the desired
security level (NO in 240), a second contact data entry is selected
220 from the subset of contact data entries. Hence, at least two
authenticators will be contacted for authenticating the requester.
Based on the selected first and second contact data entries, a
determining 230 of the security level of the authentication
communication channel is again performed depending on the selected
first and second contact data entries.
[0132] The security level of the authentication communication
channel may be determined depending on a security level of the
communication channel to the requester and a security level of the
communication channels to the authenticators. In case more than one
contact data entry of an authenticator has been selected so far,
the security level of the authentication communication channel may
additionally or alternatively be determined depending on a number
of the contact data entries, which have been selected so far.
[0133] The security level of the authentication communication
channel may depend on at least one of the following: the number of
contact data entries, selected so far, a line difference factor and
locations of end node devices corresponding to the contact data
entries, selected so far.
[0134] By way of example, the security level of the authentication
communication channel may be determined according to the following
equation
as = ld i = 1 N cs i d i wf i bf i ##EQU00001##
[0135] wherein N denotes the number of communication channels,
including the first communication channel to the requester, and the
second to Nth communication channels to the authenticators. ld
denotes a line difference factor and d.sub.i denotes the location
distance between the end node device of the authenticator and the
end node device of the requester; wherein for N=1 (i.e. the
requester) the location distance is set to 1. cs.sub.i denotes the
security level of the ith communication channel. wf.sub.i denotes a
white list factor of the ith communication channel and bf.sub.i
denotes a black list factor of the ith communication channel.
[0136] The security level of the communication channel may depend
on a security level of the end node device, a security level of the
communication link between the end node device and the
authentication system and/or a security level of an application or
operating system running on the end node device. For example, the
security level of the communication channel is calculated by
multiplying the security level of the end node device with the
security level of the communication link. The security level of the
communication channel may depend on the number of contact data
entries which are stored on the storage device for the respective
authenticator, who is called to authenticate the requester. A call
diversion to an authenticator's end node device may lead to a low
security level of the communication channel.
[0137] The white list factor wf.sub.i yields a high security level
of the authentication communication channel in case a parameter
related to the ith communication channel considers the ith
communication channel as secure. The black list factor bf.sub.i
yields a low security level in case a parameter related to the ith
communication channel considers the ith communication channel as
insecure.
[0138] The location distance d.sub.i may for example be indicative,
of whether the end node device of the requester and the end node
device of the authenticator are both located substantially at a
same location. End node devices, which are located substantially at
a same location involve a high security risk, since it is possible
that they are both operated by a same person.
[0139] It is also conceivable that the security level of the
authentication communication channel depends on additional factors.
The process of how to determine the line difference factor is
explained with reference to FIG. 4.
[0140] After having determined 230 again the security level of the
authentication communication channel, the security level of the
authentication communication channel is again compared to the
desired security level. In case the authentication security level
is smaller than the desired security level (i.e. NO in 240), a
further contact data entry is selected 220 from the subset of
contact data entries. In case the authentication level is equal to
or greater than the desired security level (i.e. YES in 240), the
method proceeds with establishing (130, 170 in FIG. 2) the
communication channels to each of authenticators using the selected
contact data entries.
[0141] Before the authentication system starts to establish the
communication channels to the authenticators, the authentication
system waits a call delay time. The call delay time may be
determined such that the precise time of establishing a
communication channel is difficult to predict for a possible
attacker. The call delay time may be randomly generated or depend
on a randomly generated number. The call delay time may depend on
at least one of the following: an action security, an
action-threat-level, user settings for calculating the call delay
time, and a random number generated for calculating the call delay
time.
[0142] For example, the call delay time cd may be determined
according to the following equation
cd=sitlusr.sub.cd,
[0143] wherein si denotes the service importance, tl denotes the
threat-level, us denotes user settings for calculating the call
delay time, and r.sub.CD denotes the randomly generated number for
calculating the call delay time. It is also conceivable that the
call delay time depends on additional factors.
[0144] The threat level tl is raised in case the authentication
system gets aware of potential risks, which are independent from
the pending service request. For example, a suspiciously high
number of recent attacks may cause an increased threat level.
[0145] In order to further increase the security of the service
provided, the authentication system may be configured to wait an
action delay time after positive confirmation messages have been
received from each of the authenticators and before forwarding the
service request to the service provider system. The action delay
time may be randomly generated or depend on a randomly generated
number. The action delay time may depend on at least one of the
following: the authentication security level, the action-threat
level, user settings for calculating the call delay time, and a
random number, generated for calculating the action delay time.
[0146] By way of example, the action delay time ad may be
determined according to the following equation
ad=sitlusr.sub.ad,
[0147] wherein si denotes the service importance, tl denotes the
threat-level, us denotes the user settings for calculating the
action delay time, and r.sub.ad denotes the randomly generated
number for calculating the action delay time. It is also
conceivable that the action delay time depends on additional
factors.
[0148] The method, which is illustrated in the flow chart of FIG. 3
together with the equations, as given above, represents an
algorithm for determining 120 one or more contact data entries from
the subset of contact data entries. The authentication system may
be configured to randomly change the algorithm for determining 120
the one or more contact data entries. Thereby, it is more difficult
for an attacker to predict, which authenticators will be contacted
by the authentication system. Additionally or alternatively, the
algorithm for determining 120 the one or more contact data entries
may itself involve a random selection of the contact data entries
of the authenticators.
[0149] FIG. 4 schematically illustrates, how the contact data entry
of the end node device of the requester and the contact data entry
of the end node device of the authenticator are selected based on
predefined security classes. In the example shown in FIG. 4, the
security classes represent mutually different communication
protocols or mutually different types of communication
protocols.
[0150] In the example, shown in FIG. 4, the authentication system 1
(shown in FIG. 1) is configured to assign a communication channel
to one of a group of security classes. The group of security
classes comprises class A class B and class C. By way of example,
each of the security classes represents an encrypted or
non-encrypted communication protocol. In the example, which is
shown in FIG. 4, the plurality of contact data entries comprises
contact data entries R1 and R2 of the requester and contact data
entries A1, A2 and A3 of three authenticators. Each of these three
authenticators know the requester personally and are therefore
authorized and/or able to authenticate the requester. Each of the
contact data entries represents a communication channel.
[0151] The authentication system assigns contact data entries R1
and A3 to security class C, contact data entries R2 and A2 to
security class B and contact data entry A1 to security class A. On
the storage device of the authentication system, there is further
stored a table 100, which assigns each combination of classes to a
line difference factor. The authentication system is further
configured to calculate the security level of the authentication
communication channel depending on the line difference factor. The
security level of the authentication communication channel may
increase with increasing line difference factor. Alternatively, the
line difference factor is the security level of the authentication
communication channel.
[0152] In the example shown in FIG. 4, the authentication system
prefers a combination of a communication channel, which was
assigned to class A with a communication channel which was assigned
to class C, since the communication protocol which is represented
by class A is highly incompatible with the communication protocol
which is represented by class C. On the other hand, a combination
of a communication channel, which was assigned to class A and a
communication channel, which was assigned to class B is less
preferred, since the communication protocol of class B is a higher
version of the communication protocol of class A.
[0153] Therefore, the authentication channel chooses contact data
entry R1 to contact the requester and contact data entry A1 to
contact the authenticator. Thereby, a high security level for the
authentication communication channel is achieved.
[0154] The authentication system may be configured to dynamically
adapt the above given formulas for calculating the desired security
level, the security level of the authentication communication
channel, the call delay time and the action delay time. Dynamically
adapting a formula may comprise adapting parameters, adding
parameters or removing parameters. Thereby, it is possible to
ensure an even higher security level of the authentication even
more.
* * * * *