WO2002001516A2 - Method and apparatus for using a cellular telephone as an authentification device - Google Patents

Method and apparatus for using a cellular telephone as an authentification device Download PDF

Info

Publication number
WO2002001516A2
WO2002001516A2 PCT/US2001/017704 US0117704W WO0201516A2 WO 2002001516 A2 WO2002001516 A2 WO 2002001516A2 US 0117704 W US0117704 W US 0117704W WO 0201516 A2 WO0201516 A2 WO 0201516A2
Authority
WO
WIPO (PCT)
Prior art keywords
transaction
caller
user
pin
participant
Prior art date
Application number
PCT/US2001/017704
Other languages
French (fr)
Other versions
WO2002001516A3 (en
Inventor
David Aucshith
Robert Sullivan, Jr.
Original Assignee
Intel Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel Corporation filed Critical Intel Corporation
Priority to EP01939805A priority Critical patent/EP1330797A2/en
Priority to AU2001265284A priority patent/AU2001265284A1/en
Publication of WO2002001516A2 publication Critical patent/WO2002001516A2/en
Publication of WO2002001516A3 publication Critical patent/WO2002001516A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/02Payment architectures, schemes or protocols involving a neutral party, e.g. certification authority, notary or trusted third party [TTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels

Definitions

  • aspects of the present invention relate in general to authenticating a user, and in particular to a method and system ⁇ of verifying users in electronic transactions.
  • FIG. 1 illustrates an embodiment of a system that authenticates users in an electronic transaction.
  • FIG. 2 is a block diagram of an apparatus that authenticates users in an electronic transaction.
  • FIG. 3 is a block diagram of an embodiment that authenticates users in an electronic transaction.
  • FIG. 4 is flowchart of a method that requests authentication of users in an electronic transaction.
  • FIGS. 5a and 5b are flowcharts of a method that authenticates users in an electronic transaction.
  • FIG. 1 is a simplified functional block diagram depicting system 100, constructed and operative in accordance with an embodiment of the present invention.
  • System 100 is configured to authenticate a user in an electronic transaction.
  • Electronic transactions are any transactions that take place over a computer network (i.e., an "on-line" transaction). Examples of such transactions include, but are not limited to, any sale or purchase of goods and services, or any operation that involves the electronic authorization of a party.
  • An example of the former is purchasing a book, compact disk, or any other goods or services, via an Internet browser on the World- Wide- Web (“WWW" or the "web”).
  • WWW World- Wide- Web
  • An example of the latter transaction is the doctor's approval of a medical prescription being filled by an electronic pharmacy.
  • the method relies on the fact that a user is pre-registered with a caller database, and the user's wireless telephone number is unique to a particular user.
  • a known transaction code e.g., Personal Identification number, PIN
  • PIN Personal Identification number
  • the network 110 may also include other networkable devices known in the art, such as other computers 120, servers 130, printers 125 and storage media 140. It is well understood in the art, that any number or variety of computer networkable devices or components may be coupled to the network 110 without inventive faculty. Examples of other devices include, but are not limited to, servers, computers, workstations, terminals, input devices, output devices, printers, plotters, routers, bridges, cameras, sensors, or any other such device known in the art.
  • Computer 120 may be of any kind known in the art that are able to communicate on the network 110.
  • Servers 130A-C may be any servers known in the art, including web, database, print, or application servers. More importantly, servers 130A-C may generate, originate, or participate in an electronic transaction that requires user authentication. A server participating in an electronic transaction is referred to as a "transaction server" 130.
  • Network 110 may be any communication network known in the art, including the Internet, a local-area-network (LAN), a wide-area-network (WAN), or any system that links a computer to an authentication server 135. Further, network 110 may be of configured in accordance with any topology known in the art, including star, ring, bus, or any combination thereof.
  • LAN local-area-network
  • WAN wide-area-network
  • network 110 may be of configured in accordance with any topology known in the art, including star, ring, bus, or any combination thereof.
  • Authentication server 135 is connected to a telephone network 150 that supports Calling Number Delivery (CND), also known as Caller ID (CID).
  • Telephone network 150 may be configured as a packet switch telephone network (PSTN), plain ordinary telephone service (POTS), Integrated Services Digital Network (ISDN), or any other telephone network 150 known in the art that supports caller ID.
  • PSTN packet switch telephone network
  • POTS plain ordinary telephone service
  • ISDN Integrated Services Digital Network
  • telephone network 150 is connected to a wireless telephone system 160 that also supports Caller ID.
  • Authentication server 135 knows each user's wireless telephone number and stores the wireless telephone number in a caller database.
  • transaction server 130 requiring user authentication, may also be the same apparatus as the authentication server 135, without any loss of functionality.
  • Authentication server 135 runs a multi-tasking operating system and includes at least one central processing unit (CPU) 102.
  • CPU 102 may be any microprocessor or micro-controller as is known in the art.
  • CPU 102 may be a microprocessor, such as the Pentium IIITM processor manufactured by Intel Corporation.
  • the software for programming the CPU may be found at a computer-readable storage medium 140 or, alternatively, from another location across network 110.
  • CPU 102 is connected to computer memory 118.
  • Authentication server 135 is controlled by an operating system (OS) that is executed within computer memory 118.
  • OS operating system
  • CPU 102 communicates with a plurality of peripheral equipment, including computer network interface 116 and telephone network interface 112.
  • Additional peripheral equipment may include a display 104, manual input device 106, storage medium 140, microphone 108, and data input port 114.
  • Display 104 may be a visual display such as a cathode ray tube (CRT) monitor, a liquid crystal display (LCD) screen, touch-sensitive screen, or other monitors as are known in the art for visually displaying images and text to a user.
  • Manual input device 106 may be a conventional keyboard, keypad, mouse, trackball, or other input device as is known in the art for the manual input of data.
  • Storage medium 140 may be a conventional read/write memory such as a magnetic disk drive, floppy disk drive, compact-disk read-only-memory (CD-ROM) drive, transistor-based memory or other computer-readable memory device as is known in the art for storing and retrieving data.
  • storage medium 140 may be remotely located from CPU 102, and be connected to CPU 102 via a network 110 such as a local area network (LAN), a wide area network (WAN), or the Internet.
  • LAN local area network
  • WAN wide area network
  • Internet the Internet
  • Microphone 108 may be any suitable microphone as is known in the art for providing audio signals to CPU 102.
  • a speaker (not shown) may be attached for reproducing audio signals from CPU 102. It is understood that microphone 108 and speaker may include appropriate digital-to-analog and analog-to-digital conversion circuitry as appropriate.
  • Data input port 114 may be any data port as is known in the art for interfacing with an external accessory using a data protocol such as RS-232, Universal Serial Bus (USB), or Institute of Electrical and Electronics Engineers (IEEE) Standard No. 1394 ('Firewire').
  • Network interface 116 may be any interface as known in the art for communicating or transferring files across a computer network, examples of such networks include Transmission Control Protocol/Internet Protocol (TCP/IP), Ethernet, Fiber Distributed Data Interface (FDDI), token bus, or token ring networks.
  • TCP/IP Transmission Control Protocol/Internet Protocol
  • FDDI Fiber Distributed Data Interface
  • token bus or token ring networks.
  • network interface 116 may consist of a modem connected to the data input port 114.
  • telephone network interface 112 provides connectivity to authentication server 135 to communicate with a telephone network 150.
  • the telephone network interface 112 allows the authentication server 135 to communicate and process input from a telephone line.
  • FIG. 3 is an expanded functional block diagram of CPU 102 and storage medium 140. It is well understood by those in the art, that the functional elements of FIG. 3 may be implemented in hardware, firmware, or as software instructions and data encoded on a computer-readable storage medium 140.
  • central processing unit 102 is functionally comprised of a data processor 202, an application interface 204, a transaction processor 206, and a call handler 210.
  • Data processor 202 interfaces with display 104, manual input device 106, storage medium 140, microphone 108, data input port 114, Internet network interface 116, and telephone network interface 112.
  • the data processor 202 enables CPU 102 to locate data on, read data from, and write data to, these components.
  • Application interface 204 enables CPU 102 to take some action with respect to a separate software application or entity.
  • application interface 204 may take the form of a windowing user interface, as is commonly known in the art.
  • Transaction processor 206 handles an electronic commerce transaction. Transaction processor 206 approves or disapproves of transactions depending upon the verification of a user by call handler 210. The results of transaction processor 206 may be recorded on storage media 140 as a transaction log 242. Call handler 210 may be further comprised of a caller ID processor 212 and a caller verifier 214. These components of call handler 210 interact with a known caller database 244, and may best be understood with respect to the flowcharts of FIGS. 4, 5a and 5b, as described below.
  • FIG. 4 is a flow diagram depicting process 300, constructive and operative in accordance with an embodiment of the present invention.
  • process 300 initially determines whether transaction server 130 is participating in an electronic transaction that requires a user authentication. This determination may be accomplished by any means known in the art, including a table-look-up of a list of electronic transactions that require user authentication, or may be embedded within a program being executed by transaction server 130.
  • Process 300 in block 304, may suspend the transaction while the user is being authenticated.
  • process 300 initiates transaction server 130 to sends authentication request (also known as a "transaction notification") to authentication server 135.
  • the authentication request may comprise a user identifier and a transaction identifier.
  • the user identifier can be any information that identifies the user as a party of the transaction, including: name, social security number, or any other similar identifier.
  • the transaction identifier identifies the transaction that requires the authentication. Additionally, in some embodiments, the user's electronic mail address may also be encoded within the authentication request.
  • the notification is conveyed to authentication server 135 via network 110. In embodiments that combine authentication server 135 with transaction server 130, the notification may be sent internally within the device itself.
  • process 300 waits for authentication server 135 to respond to the authentication request. Upon receiving a response from authentication server 135, process 300 determines whether the received response indicates that the user is authenticated. When the user is authenticated by the authentication server 135, the transaction is approved, block 312. Otherwise, the transaction is disallowed in block 314.
  • FIG. 5a and FIG. 5b are flow diagrams depicting process 400 and 450, respectively.
  • Process 400 and 450 describe the authentication sequence from the point of view of authentication server 135.
  • Authentication server 135 receives an authentication request or transaction notification from the transaction server 130 in block 401.
  • Transaction processor 206 decodes the user identifier and the transaction identifier from the authentication request.
  • transaction processor 206 generates a transaction PIN that comprises a sequence of numbers, between zero and nine. The sequence is used in conjunction with a user's wireless telephone number to authenticate the user's participation in a transaction.
  • the transaction PIN may contain alphanumeric characters including as well the symbols "*" and "#", words or a sequence of letters that can be entered via a telephone keypad.
  • Embodiments that generate numeric transaction PINs may generate a pseudo- random number by any means known in the art.
  • Embodiments that use letters may generate a pseudo-random series of letters and numbers or may use a dictionary to generate the transaction pin.
  • Some embodiments look up the user's entry in the caller database 244, and append or store the transaction identifier and the transaction pin as fields in the caller database 244, or as part of the transaction log 242.
  • process 400 transmits the transaction PIN to the user.
  • PIN is sent to the user by transaction processor 206 via network interface 116 and network 110.
  • the user is provided a telephone number that they are required to call to authenticate themselves as a valid user in the transaction.
  • the telephone number provided is connected to authentication server 135 via telephone network 150.
  • the telephone number is conveyed by looking up the electronic mail address of the user in a caller database 244, and then electronic-mailing the user convey the telephone number.
  • Other embodiments include using the electronic mail address encoded within the authentication request.
  • Still other embodiments display the transaction PIN before the user via a World- Wide- Web page.
  • Process 450 of FIG. 5b authenticates the user by matching the user's caller- identified wireless phone number with the transaction PIN provided by process 400 in FIG. 5a.
  • the user calls the provided telephone number, reaching authentication server 135.
  • Authentication server 135 receives the call from the user at block 402.
  • Authentication server 135 identifies the user by matching the user as a caller from a certain wireless phone number via caller ID.
  • Authentication server 135 receives the call via its telephone network interface 112. The call is then routed to call handler 210.
  • the caller ID signal delivered as a V.23 modem signal between the 1st and 2nd ring cycles.
  • the Caller ID is delivered over the D (signaling) channel at the initial onset of call setup in compliance with ITU-T specification Q.81.3.
  • the caller ID processor 212 derives the user's telephone number.
  • Caller verifier 214 takes the telephone number and looks up the caller identity in caller database 244.
  • the phone call is ignored, and authentication server 135 hangs up, block 408.
  • the caller is prompted to enter the transaction PIN, block 410. If the transaction PIN entered by the caller matches the one sent to the user by process 400, as determined by transaction processor 206, the user is authenticated, and transaction server 130 is informed of the authentication by internet network interface 116, block 414. If the transaction PP entered by the caller does not matches the one sent to the user, as determined by transaction processor 206, the authentication fails, and transaction server 130 is informed of the failure by the internet network interface 116. In some embodiments users can be offered an opportunity to re-enter the transaction PIN, block 416. The outcome of the authentication may be recorded in a transaction log 242.

Abstract

A method and apparatus for authenticating a participant of an electronic transaction. The participant is pre-registered with a caller database, and the participant's wireless telephone number is unique to a particular user. When an authentication server is notified of a transaction, it generates a transaction pin for the transaction participant and forwards the transaction pin to the participant via a network. The participant calls the authentication server via a wireless phone. The authentication server identifies the wireless telephone number and prompts the caller for the transaction pin. When combined with a known transaction pin and a unique wireless telephone number, a wireless phone user can be authenticated as a valid participant of an on-line transaction.

Description

METHOD AND APPARATUS FOR USING A CELLULAR TELEPHONE AS AN
AUTHENTICATION DEVICE
BACKGROUND
Field of the Invention
Aspects of the present invention relate in general to authenticating a user, and in particular to a method and system ^of verifying users in electronic transactions.
Description of the Related Art The problem of authenticating the identity of people has existed for hundreds of years. In conventional transactions, authentication can be accomplished in a number of ways. For example, a commonly accepted form of identification document, such as a picture identifier (a "picture ID"), could be used to verify a person's identity.
However, with the advent of the Internet, an ever-increasing number of electronic (or "e-commerce") transactions take place. With electronic transactions, parties to a transaction cannot see the other parties, and often never meet or know the other parties at all.
Moreover, conventional methods of verifying identity in an electronic-transaction often involve conveying personal information that only a valid person should know. Examples include using credit card numbers, social security numbers, address and other personal information. As personal information proliferates, privacy experts and the public are justifiably worried about the spread of such data. Even worse, as personal information proliferates, the information becomes "tainted" and too commonly known to serve as valid authenticators of personal identity. Consequently, the problem of authenticating the identity of a transaction participant is non-trivial and difficult.
Therefore, what is needed is a method of securely authenticating users in an electronic transaction.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates an embodiment of a system that authenticates users in an electronic transaction.
FIG. 2 is a block diagram of an apparatus that authenticates users in an electronic transaction. FIG. 3 is a block diagram of an embodiment that authenticates users in an electronic transaction.
FIG. 4 is flowchart of a method that requests authentication of users in an electronic transaction.
FIGS. 5a and 5b are flowcharts of a method that authenticates users in an electronic transaction.
DETAILED DESCRIPTION FIG. 1 is a simplified functional block diagram depicting system 100, constructed and operative in accordance with an embodiment of the present invention. System 100 is configured to authenticate a user in an electronic transaction. Electronic transactions are any transactions that take place over a computer network (i.e., an "on-line" transaction). Examples of such transactions include, but are not limited to, any sale or purchase of goods and services, or any operation that involves the electronic authorization of a party. An example of the former is purchasing a book, compact disk, or any other goods or services, via an Internet browser on the World- Wide- Web ("WWW" or the "web"). An example of the latter transaction is the doctor's approval of a medical prescription being filled by an electronic pharmacy.
The method relies on the fact that a user is pre-registered with a caller database, and the user's wireless telephone number is unique to a particular user. When combined with a known transaction code (e.g., Personal Identification number, PIN), which is sent to a user as part of the on-line/network transaction, a wireless phone user can be authenticated as a participant of the on-line transaction.
In system 100, computer 120 and an authentication server 135 are connected to a communications network 110. The network 110 may also include other networkable devices known in the art, such as other computers 120, servers 130, printers 125 and storage media 140. It is well understood in the art, that any number or variety of computer networkable devices or components may be coupled to the network 110 without inventive faculty. Examples of other devices include, but are not limited to, servers, computers, workstations, terminals, input devices, output devices, printers, plotters, routers, bridges, cameras, sensors, or any other such device known in the art. Computer 120 may be of any kind known in the art that are able to communicate on the network 110. Servers 130A-C may be any servers known in the art, including web, database, print, or application servers. More importantly, servers 130A-C may generate, originate, or participate in an electronic transaction that requires user authentication. A server participating in an electronic transaction is referred to as a "transaction server" 130.
Network 110 may be any communication network known in the art, including the Internet, a local-area-network (LAN), a wide-area-network (WAN), or any system that links a computer to an authentication server 135. Further, network 110 may be of configured in accordance with any topology known in the art, including star, ring, bus, or any combination thereof.
Authentication server 135 is connected to a telephone network 150 that supports Calling Number Delivery (CND), also known as Caller ID (CID). Telephone network 150 may be configured as a packet switch telephone network (PSTN), plain ordinary telephone service (POTS), Integrated Services Digital Network (ISDN), or any other telephone network 150 known in the art that supports caller ID. In turn, telephone network 150 is connected to a wireless telephone system 160 that also supports Caller ID.
Each user in system 100 has a wireless phone 170. Authentication server 135 knows each user's wireless telephone number and stores the wireless telephone number in a caller database. In some embodiments, transaction server 130, requiring user authentication, may also be the same apparatus as the authentication server 135, without any loss of functionality.
Embodiments will now be disclosed with reference to a functional block diagram of an exemplary authentication server 135 of FIG. 2. Authentication server 135 runs a multi-tasking operating system and includes at least one central processing unit (CPU) 102. CPU 102 may be any microprocessor or micro-controller as is known in the art. For example, CPU 102 may be a microprocessor, such as the Pentium III™ processor manufactured by Intel Corporation. The software for programming the CPU may be found at a computer-readable storage medium 140 or, alternatively, from another location across network 110. CPU 102 is connected to computer memory 118. Authentication server 135 is controlled by an operating system (OS) that is executed within computer memory 118.
CPU 102 communicates with a plurality of peripheral equipment, including computer network interface 116 and telephone network interface 112. Additional peripheral equipment may include a display 104, manual input device 106, storage medium 140, microphone 108, and data input port 114. Display 104 may be a visual display such as a cathode ray tube (CRT) monitor, a liquid crystal display (LCD) screen, touch-sensitive screen, or other monitors as are known in the art for visually displaying images and text to a user. Manual input device 106 may be a conventional keyboard, keypad, mouse, trackball, or other input device as is known in the art for the manual input of data. Storage medium 140 may be a conventional read/write memory such as a magnetic disk drive, floppy disk drive, compact-disk read-only-memory (CD-ROM) drive, transistor-based memory or other computer-readable memory device as is known in the art for storing and retrieving data. Significantly, storage medium 140 may be remotely located from CPU 102, and be connected to CPU 102 via a network 110 such as a local area network (LAN), a wide area network (WAN), or the Internet.
Microphone 108 may be any suitable microphone as is known in the art for providing audio signals to CPU 102. In addition, a speaker (not shown) may be attached for reproducing audio signals from CPU 102. It is understood that microphone 108 and speaker may include appropriate digital-to-analog and analog-to-digital conversion circuitry as appropriate.
Data input port 114 may be any data port as is known in the art for interfacing with an external accessory using a data protocol such as RS-232, Universal Serial Bus (USB), or Institute of Electrical and Electronics Engineers (IEEE) Standard No. 1394 ('Firewire'). Network interface 116 may be any interface as known in the art for communicating or transferring files across a computer network, examples of such networks include Transmission Control Protocol/Internet Protocol (TCP/IP), Ethernet, Fiber Distributed Data Interface (FDDI), token bus, or token ring networks. In addition, on some systems, network interface 116 may consist of a modem connected to the data input port 114. Similarly, telephone network interface 112 provides connectivity to authentication server 135 to communicate with a telephone network 150. Thus, the telephone network interface 112 allows the authentication server 135 to communicate and process input from a telephone line.
FIG. 3 is an expanded functional block diagram of CPU 102 and storage medium 140. It is well understood by those in the art, that the functional elements of FIG. 3 may be implemented in hardware, firmware, or as software instructions and data encoded on a computer-readable storage medium 140. As shown in FIG. 3, central processing unit 102 is functionally comprised of a data processor 202, an application interface 204, a transaction processor 206, and a call handler 210. Data processor 202 interfaces with display 104, manual input device 106, storage medium 140, microphone 108, data input port 114, Internet network interface 116, and telephone network interface 112. The data processor 202 enables CPU 102 to locate data on, read data from, and write data to, these components.
Application interface 204 enables CPU 102 to take some action with respect to a separate software application or entity. For example, application interface 204 may take the form of a windowing user interface, as is commonly known in the art.
Transaction processor 206 handles an electronic commerce transaction. Transaction processor 206 approves or disapproves of transactions depending upon the verification of a user by call handler 210. The results of transaction processor 206 may be recorded on storage media 140 as a transaction log 242. Call handler 210 may be further comprised of a caller ID processor 212 and a caller verifier 214. These components of call handler 210 interact with a known caller database 244, and may best be understood with respect to the flowcharts of FIGS. 4, 5a and 5b, as described below.
FIG. 4 is a flow diagram depicting process 300, constructive and operative in accordance with an embodiment of the present invention. As shown in block 302, process 300 initially determines whether transaction server 130 is participating in an electronic transaction that requires a user authentication. This determination may be accomplished by any means known in the art, including a table-look-up of a list of electronic transactions that require user authentication, or may be embedded within a program being executed by transaction server 130. Process 300, in block 304, may suspend the transaction while the user is being authenticated.
In block 306, process 300 initiates transaction server 130 to sends authentication request (also known as a "transaction notification") to authentication server 135. The authentication request may comprise a user identifier and a transaction identifier. The user identifier can be any information that identifies the user as a party of the transaction, including: name, social security number, or any other similar identifier. The transaction identifier identifies the transaction that requires the authentication. Additionally, in some embodiments, the user's electronic mail address may also be encoded within the authentication request. The notification is conveyed to authentication server 135 via network 110. In embodiments that combine authentication server 135 with transaction server 130, the notification may be sent internally within the device itself.
In block 310, process 300 waits for authentication server 135 to respond to the authentication request. Upon receiving a response from authentication server 135, process 300 determines whether the received response indicates that the user is authenticated. When the user is authenticated by the authentication server 135, the transaction is approved, block 312. Otherwise, the transaction is disallowed in block 314.
FIG. 5a and FIG. 5b are flow diagrams depicting process 400 and 450, respectively. Process 400 and 450 describe the authentication sequence from the point of view of authentication server 135. Authentication server 135 receives an authentication request or transaction notification from the transaction server 130 in block 401. Transaction processor 206 decodes the user identifier and the transaction identifier from the authentication request. In block 403, transaction processor 206 generates a transaction PIN that comprises a sequence of numbers, between zero and nine. The sequence is used in conjunction with a user's wireless telephone number to authenticate the user's participation in a transaction. Note that in some embodiments, the transaction PIN may contain alphanumeric characters including as well the symbols "*" and "#", words or a sequence of letters that can be entered via a telephone keypad.
Embodiments that generate numeric transaction PINs may generate a pseudo- random number by any means known in the art. Embodiments that use letters may generate a pseudo-random series of letters and numbers or may use a dictionary to generate the transaction pin. Some embodiments look up the user's entry in the caller database 244, and append or store the transaction identifier and the transaction pin as fields in the caller database 244, or as part of the transaction log 242. In block 405, process 400 transmits the transaction PIN to the user. The transaction
PIN is sent to the user by transaction processor 206 via network interface 116 and network 110. In all embodiments, the user is provided a telephone number that they are required to call to authenticate themselves as a valid user in the transaction. The telephone number provided is connected to authentication server 135 via telephone network 150. In some embodiments, the telephone number is conveyed by looking up the electronic mail address of the user in a caller database 244, and then electronic-mailing the user convey the telephone number. Other embodiments include using the electronic mail address encoded within the authentication request. Still other embodiments display the transaction PIN before the user via a World- Wide- Web page.
Process 450 of FIG. 5b authenticates the user by matching the user's caller- identified wireless phone number with the transaction PIN provided by process 400 in FIG. 5a. The user calls the provided telephone number, reaching authentication server 135. Authentication server 135 receives the call from the user at block 402. In block 404, Authentication server 135 identifies the user by matching the user as a caller from a certain wireless phone number via caller ID. Authentication server 135 receives the call via its telephone network interface 112. The call is then routed to call handler 210. In some embodiments, the caller ID signal delivered as a V.23 modem signal between the 1st and 2nd ring cycles. In embodiments connected to an ISDN line, the Caller ID is delivered over the D (signaling) channel at the initial onset of call setup in compliance with ITU-T specification Q.81.3. Regardless of the implementation of caller ID, the caller ID processor 212 derives the user's telephone number. Caller verifier 214 takes the telephone number and looks up the caller identity in caller database 244.
If the telephone number cannot be determined, or the caller is not a known user of the system (as determined by caller database 244), the phone call is ignored, and authentication server 135 hangs up, block 408.
Otherwise, if the caller is identified as a known user in caller database 244, the caller is prompted to enter the transaction PIN, block 410. If the transaction PIN entered by the caller matches the one sent to the user by process 400, as determined by transaction processor 206, the user is authenticated, and transaction server 130 is informed of the authentication by internet network interface 116, block 414. If the transaction PP entered by the caller does not matches the one sent to the user, as determined by transaction processor 206, the authentication fails, and transaction server 130 is informed of the failure by the internet network interface 116. In some embodiments users can be offered an opportunity to re-enter the transaction PIN, block 416. The outcome of the authentication may be recorded in a transaction log 242.
The previous description of the embodiments is provided to enable any person skilled in the art to practice the method. The various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without the use of inventive faculty. Thus, the present invention is not intended to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

WHAT IS CLAIMED IS:
1. An apparatus comprising: a first network interface, connected to a computer network, configured to receive a transaction notification, the transaction notification containing a user identifier that identifies a participant to an electronic transaction; a processor, connected to the first network interface, configured to match the user identifier to a user phone number in a caller database and generate a transaction PIN, the first network interface forwards the transaction pin the participant; and a second network interface, connected to the processor and a telephone network, configured to receive a phone call from a cailer with a caller phone number, wherein the processor prompts the caller for a caller pin, the processor identifies the caller telephone number, and the processor authenticates the participant when the caller phone number and user phone number match and the transaction pin and the caller pin match.
2. The apparatus of claim 1, the processor further comprising: a transaction processor that matches a user phone number to the user identifier, generates a transaction pin, and authenticates the participant when the caller phone number and user phone number match and the transaction pin and the caller pin match.
3. The apparatus of claim 2, the processor further comprising: a caller ID processor, connected to the transaction processor, configured to identify the caller telephone number.
4. The apparatus of claim 3, the processor further comprising: a caller verifier, connected to the transaction processor, configured to match the user identifier to the user phone number in the caller database.
5. A method comprising: receiving a transaction notification via a first network interface, the transaction notification containing a user identifier that identifies a participant to an electronic transaction; matching a user phone number to the user identifier; generating a transaction pin; forwarding the transaction pin the participant; receiving a phone call via from a caller with a caller phone number via a second network interface; prompting the caller for a caller pin; verifying that the caller is a user when the caller phone number and user phone number match; and verifying that the caller is a participant to the electronic transaction when the transaction pin and the caller pin match.
6. The method of claim 5, further comprising: authenticating the user of the electronic transaction when the caller is verified as a user and when the caller is verified as a participant to the electronic transaction.
7. The method of claim 6, further comprising: informing a transaction server whether the user of the electronic transaction is authenticated.
8. The method of claim 7, further comprising: canceling the electronic transaction when the user of the electronic transaction is not authenticated.
9. The method of claim 8, further comprising: recording an outcome of the user authentication in a transaction log.
10. The method of claim 9, wherein generating a transaction pin is accomplished by generating a pseudo-random combination of numbers and letters.
11. The method of claim 9, wherein generating a transaction pin is accomplished by generating a pseudo-random selection of a word or words from a dictionary.
12. A computer-readable medium encoded with data and instructions, the data and instructions causing an apparatus executing the instructions to: receive a transaction notification via a first network interface, the transaction notification containing a user identifier that identifies a participant to an electronic transaction; match a user phone number to the user identifier; generate a transaction pin; forward the transaction pin the participant; receive a phone call via from a caller with a caller phone number via a second network interface; prompt the caller for a caller pin; verify that the caller is a user when the caller phone number and user phone number match; verifying that the caller is a participant to the electronic transaction when the transaction pin and the caller pin match.
13. The computer-readable medium of claim 12 further encoded with data and instructions, the data and instructions causing an apparatus executing the instructions to: authenticate the user of the electronic transaction when the caller is verified as a user and when the caller is verified as a participant to the electronic transaction.
14. The computer-readable medium of claim 13 further encoded with data and instructions, the data and instructions causing an apparatus executing the instructions to: inform a transaction server whether the user of the electronic transaction is authenticated.
15. The computer-readable medium of claim 14 further encoded with data and instructions, the data and instructions causing an apparatus executing the instructions to: cancel the electronic transaction when the user of the electronic transaction is not authenticated.
16. The computer-readable medium of claim 15 further encoded with data and instructions, the data and instructions causing an apparatus executing the instructions to: record an outcome of the user authentication in a transaction log.
17. The computer-readable medium of claim 16, wherein generating a transaction pin is accomplished by generating a pseudo-random combination of numbers and letters.
18. The computer-readable medium of claim 16, wherein generating a
> transaction pin is accomplished by generating a pseudo-random selection of a word or words from a dictionary.
PCT/US2001/017704 2000-06-26 2001-06-01 Method and apparatus for using a cellular telephone as an authentification device WO2002001516A2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP01939805A EP1330797A2 (en) 2000-06-26 2001-06-01 Method and apparatus for using a cellular telephone as an authentification device
AU2001265284A AU2001265284A1 (en) 2000-06-26 2001-06-01 Method and apparatus for using a cellular telephone as an authentification device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US60316900A 2000-06-26 2000-06-26
US09/603,169 2000-06-26

Publications (2)

Publication Number Publication Date
WO2002001516A2 true WO2002001516A2 (en) 2002-01-03
WO2002001516A3 WO2002001516A3 (en) 2003-04-17

Family

ID=24414354

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/017704 WO2002001516A2 (en) 2000-06-26 2001-06-01 Method and apparatus for using a cellular telephone as an authentification device

Country Status (4)

Country Link
EP (1) EP1330797A2 (en)
CN (1) CN1486476A (en)
AU (1) AU2001265284A1 (en)
WO (1) WO2002001516A2 (en)

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002019593A2 (en) * 2000-08-30 2002-03-07 Telefonaktiebolaget Lm Ericsson (Publ) End-user authentication independent of network service provider
GB2386236A (en) * 2002-03-05 2003-09-10 Marconi Comm Ltd Cashless transactions via a telecommunications network
DE10306993A1 (en) * 2003-02-19 2004-09-09 Call & Card Communication Anstalt Cashless payment method, by transmitting transaction number to provider who checks if input PIN is associated with buyer identification number
DE10344483A1 (en) * 2003-09-24 2005-05-12 Vodafone Holding Gmbh Method for checking the authorization during the establishment and / or forwarding of a telecommunications connection
EP1544816A1 (en) * 2003-12-12 2005-06-22 Finport B.V. Method and system for authorising computer network rendered services
WO2007050005A1 (en) * 2005-10-25 2007-05-03 Udo Hinz Credit card substitute
WO2008102220A1 (en) * 2007-02-23 2008-08-28 Sony Ericsson Mobile Communications Ab Authorizing secure resources
US8369833B2 (en) 2002-08-06 2013-02-05 Boojum Mobile Systems and methods for providing authentication and authorization utilizing a personal wireless communication device
WO2013050738A3 (en) * 2011-10-03 2013-06-20 Barclays Bank Plc User authentication via mobile phone
US9361611B2 (en) 2008-02-20 2016-06-07 Collective Dynamics LLC Method and system for secure mobile payment transactions

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5485510A (en) * 1992-09-29 1996-01-16 At&T Corp. Secure credit/debit card authorization
GB2328310A (en) * 1996-05-15 1999-02-17 Ho Keung Tse Electronic transaction authorisation system
US5883810A (en) * 1997-09-24 1999-03-16 Microsoft Corporation Electronic online commerce card with transactionproxy number for online transactions
WO2000044130A1 (en) * 1999-01-20 2000-07-27 Netcom Ab A method, system and arrangement for providing services on the internet

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5485510A (en) * 1992-09-29 1996-01-16 At&T Corp. Secure credit/debit card authorization
GB2328310A (en) * 1996-05-15 1999-02-17 Ho Keung Tse Electronic transaction authorisation system
US5883810A (en) * 1997-09-24 1999-03-16 Microsoft Corporation Electronic online commerce card with transactionproxy number for online transactions
WO2000044130A1 (en) * 1999-01-20 2000-07-27 Netcom Ab A method, system and arrangement for providing services on the internet

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002019593A3 (en) * 2000-08-30 2002-09-06 Ericsson Telefon Ab L M End-user authentication independent of network service provider
WO2002019593A2 (en) * 2000-08-30 2002-03-07 Telefonaktiebolaget Lm Ericsson (Publ) End-user authentication independent of network service provider
US7433452B2 (en) 2002-03-05 2008-10-07 Ericsson Ab Method and apparatus for cashless transactions via a telecommunications network
GB2386236A (en) * 2002-03-05 2003-09-10 Marconi Comm Ltd Cashless transactions via a telecommunications network
US8369833B2 (en) 2002-08-06 2013-02-05 Boojum Mobile Systems and methods for providing authentication and authorization utilizing a personal wireless communication device
DE10306993A1 (en) * 2003-02-19 2004-09-09 Call & Card Communication Anstalt Cashless payment method, by transmitting transaction number to provider who checks if input PIN is associated with buyer identification number
DE10344483A1 (en) * 2003-09-24 2005-05-12 Vodafone Holding Gmbh Method for checking the authorization during the establishment and / or forwarding of a telecommunications connection
EP1544816A1 (en) * 2003-12-12 2005-06-22 Finport B.V. Method and system for authorising computer network rendered services
WO2007050005A1 (en) * 2005-10-25 2007-05-03 Udo Hinz Credit card substitute
WO2008102220A1 (en) * 2007-02-23 2008-08-28 Sony Ericsson Mobile Communications Ab Authorizing secure resources
US9361611B2 (en) 2008-02-20 2016-06-07 Collective Dynamics LLC Method and system for secure mobile payment transactions
US9530125B2 (en) 2008-02-20 2016-12-27 Collective Dynamics LLC Method and system for secure mobile payment transactions
WO2013050738A3 (en) * 2011-10-03 2013-06-20 Barclays Bank Plc User authentication via mobile phone
US11063933B2 (en) 2011-10-03 2021-07-13 Barclays Execution Services Limited User authentication

Also Published As

Publication number Publication date
AU2001265284A1 (en) 2002-01-08
CN1486476A (en) 2004-03-31
EP1330797A2 (en) 2003-07-30
WO2002001516A3 (en) 2003-04-17

Similar Documents

Publication Publication Date Title
US7486785B2 (en) Method for customer recognition and management
US7287270B2 (en) User authentication method in network
US10140596B2 (en) Third party authentication of an electronic transaction
US7254619B2 (en) Apparatus for outputting individual authentication information connectable to a plurality of terminals through a network
US20030051138A1 (en) Mobile terminal authentication method and a mobile terminal therefor
US20060059362A1 (en) Automated password reset via an interactive voice response system
US20060235803A1 (en) Apparatus, system, and method for facilitating electronic communication based on a personal contact
US20070187502A1 (en) Multiple device and/or user association
US8082213B2 (en) Method and system for personalized online security
WO2001044940A1 (en) Dual network system and method for online authentication or authorization
JP2004240637A (en) Password authentication system
CN106875177A (en) Order processing method, device and paying server
CN107423975A (en) By submitting number to carry out strong authentication
US20140302814A1 (en) Centralized caller profile and payment system and methods for processing telephone payments
WO2002001516A2 (en) Method and apparatus for using a cellular telephone as an authentification device
US20040024817A1 (en) Selectively restricting access of automated agents to computer services
US20070028105A1 (en) Apparatus and method for providing security in computing and communication environments
SE531960C2 (en) Method of securely executing a payment transaction
JP2005216250A (en) Reception system, reception auxiliary server, and reception processing server
JP2002229951A (en) Person identification system
JP2001318897A (en) User authentication method, network system to be used for the method, and recording medium recorded with its control program
JP2003186837A (en) Apparatus and method for one-time password authentication and its authentication program
JP2003284141A (en) Authentication apparatus for mobile communication terminal
US20090300741A1 (en) Granting server/workstation access using a telephone system
JP2002245006A (en) Authentication system, authentication method, program, and recording medium therefor

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 018118232

Country of ref document: CN

WWE Wipo information: entry into national phase

Ref document number: 2001939805

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWP Wipo information: published in national office

Ref document number: 2001939805

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Ref document number: 2001939805

Country of ref document: EP