Authentication Methods and Systems

US 20090300738A1
Filed: 06/14/2007
Published: 12/03/2009
Est. Priority Date: 06/14/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method of generating an authentication token comprising the steps of:

i. downloading a cryptographic based application to a mobile telephony device;

ii. running the cryptographic based application on the mobile telephony device; and

iii. displaying a token generated by the cryptographic based application on a display of the mobile telephony device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of generating an authentication token using a cryptographic based application downloaded to a mobile telephony device and a method of authenticating an online transaction using such a token. The method may be employed in a two factor authentication method uitilising a user password and an authentication token. The method allows a two factor authentication method to be provided by a wide range of mobile telephony devices operating either online or offline. Other authentication systems and methods of authentication are also disclosed.

59 Citations

View as Search Results

63 Claims

1. A method of generating an authentication token comprising the steps of:
- i. downloading a cryptographic based application to a mobile telephony device;
  
  ii. running the cryptographic based application on the mobile telephony device; and
  
  iii. displaying a token generated by the cryptographic based application on a display of the mobile telephony device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 34, 35, 50, 52, 60, 61, 62, 63)
- - 2. A method as claimed in claim 1 wherein the token is generated whilst the mobile telephony device is offline.
  - 3. A method as claimed in claim 1 wherein the token is generated whilst the mobile telephony device is online.
  - 4. A method as claimed in claim 1 wherein a URL link is sent to the mobile telephony device to enable downloading of the cryptographic based application.
  - 5. A method as claimed in claim 4 wherein an SMS message including the URL link is sent to the mobile telephony device.
  - 6. A method as claimed in claim 4 wherein the URL link is sent in response to a request made during an internet banking session.
  - 7. A method as claimed in claim 4 wherein the URL link is sent in response to a request made via an IVR service.
  - 8. A method as claimed in claim 1 wherein the application is downloaded using a secure protocol.
  - 9. A method as claimed in claim 4 wherein a user specific URL is sent to each user.
  - 10. A method as claimed in claim 4 wherein the cryptographic based application includes a user specific signature.
  - 12. A method as claimed in claim 10 wherein the generated token is generated at least in part based on the user specific signature.
  - 13. A method as claimed in claim 1 wherein the generated token is based on a time related factor.
  - 14. A method as claimed in claim 13 wherein the time related factor is elapsed time from a start time.
  - 15. A method as claimed in claim 1 wherein the generated token is generated at least in part based on a unique security code assigned to the user.
  - 16. A method as claimed in claim 15 wherein the unique security code is embedded in the downloaded cryptographic based application.
  - 17. A method as claimed in claim 1 wherein the generated token is generated at least in part based on a user entered code.
  - 18. A method as claimed in claim 17 wherein the user entered code includes a PIN.
  - 19. A method as claimed in claim 1 wherein the cryptographic based application uses a hash function.
  - 20. A method as claimed in claim 19 wherein the hash function is based on a SHA 512 digest function.
  - 21. A method as claimed in claim 1 wherein the cryptographic based application requires an activation code to be entered to enable the application.
  - 22. A method as claimed in claim 21 wherein the activation code is a unique code supplied to a user.
  - 23. A method as claimed in claim 21 wherein the activation code is a user ID and a password.
  - 24. A method as claimed in claim 1 wherein an activation code must be sent to a remote computer to enable tokens generated by the mobile telephony device to be accepted by the remote computer.
  - 25. A method as claimed in claim 21 wherein the activation code includes a user specific signature from the cryptographic based application.
  - 26. A method as claimed in claim 21 wherein the activation is sent using a secure protocol.
  - 27. A method as claimed in claim 21 wherein the activation code is a unique code supplied to a user.
  - 28. A method as claimed in claim 27 wherein the activation code is a user ID and a password.
  - 34. A method as claimed in claim 27 wherein the authentication token is generated whilst the mobile telephony device is online.
  - 35. A method as claimed in claim 34 wherein the authentication token is sent via a wireless communications channel.
  - 50. A method as claimed in claim 1 wherein the mobile telephony device is a cellular phone.
  - 52. A mobile telephony device configured to operate in accordance with the method claim 1.
  - 60. A method as claimed in claim 1 wherein transaction details are entered by a user and used to generate the authentication token.
  - 61. A method as claimed in claim 60 wherein the transaction information includes the payee account and the amount of the payment.
  - 62. A method as claimed in claim 60 wherein once the token is authenticated a transaction is completed according to the transaction information.
  - 63. Software configured to effect the method of claim 1.

11. A method as claimed in 10 wherein the user specific signature is stored in a JAR file.

29. A method of authenticating a transaction comprising:
- i. downloading a cryptographic based application to a mobile telephony device;
  
  ii. supplying first authentication information to an authentication system;
  
  iii. generating an authentication token using the cryptographic based application of the mobile telephony device;
  
  iv. supplying the authentication token to the authentication system; and
  
  v. verifying the first authentication information and authentication token by the authentication system.
- View Dependent Claims (30, 31, 32, 33, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 51)
- - 30. A method as claimed in claim 29 wherein the authentication system is a remote computer.
  - 31. A method as claimed in claim 29 wherein the authentication token is generated whilst the mobile telephony device is offline.
  - 32. A method as claimed in claim 31 wherein the first authentication information and the authentication token are sent via the same communications channel.
  - 33. A method as claimed in claim 32 wherein the first authentication information and the authentication token are sent via the internet.
  - 36. A method as claimed in claim 29 wherein the first authentication information is static information.
  - 37. A method as claimed in claim 36 wherein the first authentication information is a user ID and password.
  - 38. A method as claimed in claim 29 wherein the authentication token is transient information.
  - 39. A method as claimed in claim 29 wherein the authentication token is generated on the basis of time based information.
  - 40. A method as claimed in claim 39 wherein the authentication token is generated on the basis of a time related factor.
  - 41. A method as claimed in claim 40 wherein the time related factor is elapsed time from a start time.
  - 42. A method as claimed in claim 41 wherein an offset between the time of a clock of the mobile telephony device and the time of a clock of the authentication system is stored in the mobile telephony device and used to synchronise the time related factor between the mobile telephony device and the remote computer.
  - 43. A method as claimed in claim 39 wherein the authentication system verifies the authentication token by generating an authentication token locally and comparing it to the authentication token received.
  - 44. A method as claimed in claim 42 wherein the authentication system will only validate the authentication token received if it has been generated within a prescribed period of receipt by the remote computer.
  - 45. A method as claimed in claim 39 wherein the authentication token includes information as to its time of generation which is extracted and validated if the time of generation is within a specified window with respect to the time of verification at the authentication system.
  - 46. A method as claimed in claim 45 wherein the time of generation of the authentication token is stored at a location within the token based on user specific information.
  - 47. A method as claimed in claim 30 wherein a user specific signature is stored at the authentication device and is included in the cryptographic based application and is used to generate the authentication token and the authentication system verifies the authentication token based at least in part on the user specific signature.
  - 48. A method as claimed in claim 47 wherein the user specific signature is stored in a JAR file.
  - 49. A method as claimed in claim 30 wherein a user secret is stored in the authentication system and is included in the cryptographic based application and is used for generation of the authentication token and the authentication system verifies the authentication token based at least in part on the user specific signature
  - 51. A system configured to operate in accordance with the method of claim 29.

53. A method of authenticating a transaction comprising:
- a. generating an authentication token at a mobile device based on seed data and local time data wherein the token includes time of generation information;
  
  b. transmitting the authentication token to an authentication system;
  
  c. extracting the time of generation information from the token; and
  
  d. authenticating the token only if the time of generation information is within a prescribed window with respect to the time of receipt at the authentication system.
- View Dependent Claims (54, 55)
- - 54. A method as claimed in claim 53 wherein the time of generation information is inserted at a location within the token based on user specific information
  - 55. A method as claimed in claim 54 wherein the time of generation information is inserted at a location within the token based on user specific information selected from one or more of:
    - a user specific signature, a user secret, a user pass code and user account details

56. A method of verifying the authenticity of an application downloaded to a mobile telephony device comprising:
- a. sending a user specific URL to a user of a mobile telephony device;
  
  b. downloading an application from the user specific URL to the mobile telephony device;
  
  c. storing the user specific URL in memory of the mobile telephony device separately from the application; and
  
  d. verifying that the installed application was downloaded from the user specific URL before running the application.
- View Dependent Claims (57)
- - 57. A method as claimed in claim 56 wherein the user specific URL is stored in an obfuscated manner within the application.

58. A method of verifying the authenticity of a transaction between a mobile telephony device and a remote authentication system comprising:
- a. inserting a user specific signature in an application downloaded to the mobile device;
  
  b. storing the user specific signature at the remote authentication system;
  
  c. generating an authentication token at the mobile telephony device based at least in part on the user specified signature using the downloaded application;
  
  d. sending the authentication token to the authentication system; and
  
  e. verifying the authentication token at the remote computer including verifying that the authentication token was generated using the user specified signature.
- View Dependent Claims (59)
- - 59. A method as claimed in claim 58 wherein the user specific signature is stored in a JAR file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fronde Anywhere Ltd.
Original Assignee
Fronde Anywhere Ltd.
Inventors
Dewe, Caroline Mostyn, Alvarez Diaz, Sergio, Williams, Antony John, Parfene, Horatiu Nicolae, Ide, Jonathan Paul

Application Number

US12/085,777
Publication Number

US 20090300738A1
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/33   using certificates

G06F 21/42   using separate channels for...

G06F 2221/2107   File encryption

G06F 2221/2119   Authenticating web pages, e...

G06Q 20/3227   using secure elements embed...

G06Q 20/3263   characterised by activation...

G06Q 20/3265   characterised by personalis...

G06Q 20/38215   Use of certificates or encr...

G06Q 20/3823   combining multiple encrypti...

G06Q 20/3827   Use of message hashing

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4014   Identity check for transact...

G06Q 20/425   using two different network...

H04L 63/083   using passwords cryptograph...

H04L 63/18   using different networks or...

H04L 67/34   involving the movement of s...

Authentication Methods and Systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

59 Citations

63 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication Methods and Systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

59 Citations

63 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links