METHODS AND SYSTEMS FOR AUTHENTICATING USERS

US 20110209200A2
Filed: 08/05/2009
Published: 08/25/2011
Est. Priority Date: 08/05/2009
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating users to reduce transaction risks, said method comprising:

storing biometric authentication data and personal data for each of a plurality of authorized users in an authentication system, and storing protected resources in a server, wherein each of the protected resources is associated with at least a corresponding one of the plurality of authorized users, the authentication system is different than the server, and the server is included in a first communications channel;

indicating a desire at conduct at least one transaction, determining whether the at least one transaction requires access to the protected resources, and when the at least one transaction requires access to protected resources inputting information in a workstation, wherein a workstation user performs said indicating and inputting operations at the workstation;

determining whether the inputted information is known and determining a state of a communications device when the inputted information is known;

transmitting a biometric authentication request from the server over the first communications channel to the authentication system when the state of the communications device is enrolled;

generating a biometric authentication data capture request in response to the authentication request, and transmitting the biometric authentication data capture request over a second communications channel from the authentication system to the communications device, wherein the communications device is included in the second channel and is associated with one of the plurality of authorized users and the one authorized user is associated with the inputted information;

validating the communications device;

verifying that the at least one transaction is pending;

obtaining the biometric authentication data capture request transmission, capturing biometric authentication data in accordance with the biometric authentication data capture request from the workstation user with the communications device, and transmitting the captured biometric authentication data from the communications device to the authentication system over the second communications channel;

comparing the captured biometric authentication data against biometric authentication data of the one authorized user stored in the authentication system;

generating a one-time pass-phrase, storing the one-time pass-phrase on the authentication system and transmitting the one-time pass-phrase to the communications device over the second communications channel when the workstation user is authenticated as the one authorized user;

obtaining the one-time pass-phase the communications device and entering the one-time pass-phrase into the workstation;

transmitting the one-time pass-phrase from the workstation to the authentication system over the first communications channel, and comparing the transmitted one-time pass-phrase against the stored one-time pass-phrase; and

granting access to the protected resources of the one authorized user when the transmitted and stored one-time pass-phrases match.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of authenticating users to reduce transaction risks includes indicating a desire to conduct a transaction and determining whether the transaction requires access to protected resources. Moreover, the method determines whether inputted information is known, determines a state of a communications device when the inputted information is known, and transmits a biometric authentication request from a server to an authentication system when the state of the communications device is enrolled. Additionally, the method includes validating the communications device, capturing biometric authentication data in accordance with a biometric authentication data capture request with the communications device, biometrically authenticating the user, generating a one-time pass-phrase and storing the one-time pass-phrase on the authentication system when the user is authenticated, comparing the transmitted one-time pass-phrase against the stored one-time pass-phrase, and granting access to the protected resources when the transmitted and stored one-time pass-phrases match.

169 Citations

20 Claims

1. A method of authenticating users to reduce transaction risks, said method comprising:
- storing biometric authentication data and personal data for each of a plurality of authorized users in an authentication system, and storing protected resources in a server, wherein each of the protected resources is associated with at least a corresponding one of the plurality of authorized users, the authentication system is different than the server, and the server is included in a first communications channel;
  
  indicating a desire at conduct at least one transaction, determining whether the at least one transaction requires access to the protected resources, and when the at least one transaction requires access to protected resources inputting information in a workstation, wherein a workstation user performs said indicating and inputting operations at the workstation;
  
  determining whether the inputted information is known and determining a state of a communications device when the inputted information is known;
  
  transmitting a biometric authentication request from the server over the first communications channel to the authentication system when the state of the communications device is enrolled;
  
  generating a biometric authentication data capture request in response to the authentication request, and transmitting the biometric authentication data capture request over a second communications channel from the authentication system to the communications device, wherein the communications device is included in the second channel and is associated with one of the plurality of authorized users and the one authorized user is associated with the inputted information;
  
  validating the communications device;
  
  verifying that the at least one transaction is pending;
  
  obtaining the biometric authentication data capture request transmission, capturing biometric authentication data in accordance with the biometric authentication data capture request from the workstation user with the communications device, and transmitting the captured biometric authentication data from the communications device to the authentication system over the second communications channel;
  
  comparing the captured biometric authentication data against biometric authentication data of the one authorized user stored in the authentication system;
  
  generating a one-time pass-phrase, storing the one-time pass-phrase on the authentication system and transmitting the one-time pass-phrase to the communications device over the second communications channel when the workstation user is authenticated as the one authorized user;
  
  obtaining the one-time pass-phase the communications device and entering the one-time pass-phrase into the workstation;
  
  transmitting the one-time pass-phrase from the workstation to the authentication system over the first communications channel, and comparing the transmitted one-time pass-phrase against the stored one-time pass-phrase; and
  
  granting access to the protected resources of the one authorized user when the transmitted and stored one-time pass-phrases match.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of authenticating users in accordance with claim 1, wherein when the at least one transaction is pending said verifying operation further comprises:
    - displaying the plurality of pending transactions on the communications device;
      
      choosing one of the plurality of pending transactions to conduct; and
      
      determining the biometric authentication data requirement of the one pending transaction.
  - 3. The method of authenticating users in accordance with claim 1, wherein when the at least one transaction is pending said verifying operation further comprises:
    - displaying the plurality of transactions on the communications device;
      
      determining a level of risk associated with each of the plurality of pending transactions;
      
      comparing the determined level of risks to determine a greatest level of risk;
      
      determining a biometric authentication data requirement corresponding to the greatest level of risk; and
      
      including the biometric authentication data requirement in a subsequent biometric authentication data capture request.
  - 4. The method of authenticating users in accordance with claim 1, wherein said capturing the biometric authentication data operation further comprises:
    - verifying that the captured biometric authentication data is of sufficient quality for determining a sufficient quality comparison match and related numerical score; and
      
      capturing biometric authentication data again when the captured biometric authentication data is of insufficient quality.
  - 5. The method of authenticating users in accordance with claim 1, wherein said entering the one-time pass-phrase operation comprises one of entering the one-time pass-phrase manually and entering the one-time pass-phrase automatically by transmitting the one-time pass-phrase to the workstation from the communications device.
  - 6. The method of authenticating users in accordance with claim 1, said determining whether the at least one transaction requires access to the protected resources operation comprising:
    - generating a first configurable policy that associates each of a plurality of transactions with a corresponding one of a plurality of levels of risk and storing the first configurable policy in the server;
      
      comparing the at least one transaction against the first configurable policy to determine the level of risk associated with the at least one transaction; and
      
      determining that access to the protected resources is required to complete the at least one transaction when the level of risk associated with the at least one transaction is greater than a lowest level of risk.
  - 7. The method of authenticating users in accordance with claim 6, further comprising:
    - generating an authentication policy that associates each one of the levels of risk with a corresponding one of a plurality of biometric authentication data requirements;
      
      extracting an authentication level of risk from the biometric authentication request; and
      
      determining the biometric authentication data requirement of the extracted authentication level of risk by consulting the authentication policy.
  - 8. The method of authenticating in accordance with claim 1, further comprising extracting a level of risk from the authentication request and determining a biometric authentication data requirement corresponding to the extracted level of risk, said determining the biometric authentication data requirement operation comprising:
    - consulting an authentication policy including policy levels of risk associated with biometric authentication data requirements, and comparing the extracted level of risk against the policy levels of risk; and
      
      determining the biometric authentication data requirement to be the biometric authentication data requirement that corresponds to the policy level of risk that matches the extracted level of risk.

9. A system for authenticating users that reduces transaction risks, said system comprising:
- a computer configured as a server, said server including at least a database, said server being configured to store within said database a first configurable policy, to determine whether at least one transaction requires access to protected resources when a workstation user indicates a desire to conduct the at least one transaction, to receive information inputted by the workstation user in the workstation, to determine whether the inputted information is known, and to determine a level of risk associated with the at least one transaction;
  
  at least one workstation comprising at least a workstation computer optionally coupled to said server, said workstation being configured to receive information input by the workstation user, wherein said at least one workstation, said server and the network comprise a first communications channel;
  
  an authentication system including an authentication database, said authentication system being configured to communicate with said server, to store within said authentication database biometric authentication data and personal data associated with each of a plurality of authorized users, to store an authentication policy, to verify that the at least one transaction is pending, and to initiate a biometric authentication process over a second communications channel in response to a communication from said first communications channel; and
  
  a communications device included in said second channel, said communications device being associated with one of the plurality of authorized users and being configured to communicate with said authentication system over said second communications channel, to receive a biometric authentication data request transmitted over said second communications channel from said authentication system, to capture biometric authentication data in accordance with the biometric authentication request from the workstation user and transmit the captured biometric data to said authentication system over said second communications channel, wherein the one authorized user is associated with information inputted by the workstation user, said authentication system is further configured to validate said communications device, to determine a state of said communications device when the inputted information is known, to transmit a biometric authentication data request corresponding to a level of risk of the at least one transaction, to compare the captured biometric data against biometric authentication data of the one authorized user, and generate and transmit a one-time pass-phrase over said second communications channel when the workstation user is authenticated as the one authorized user, said communications device is further configured to display the at least one transaction, to receive and display the one-time pass-phrase such that the one-time pass-phrase can be inputted into said workstation and transmitted over said first communications channel to said authentication systems, said authentication system is further configured to compare the one-time pass-phrase transmitted from said authentication system against the one-time pass-phrase received by said authentication system, and said server is configured to grant access to the protected resources of the one authorized user when the one-time pass-phrase transmitted from said authentication system matches the one-time pass-phrase received by said authentication system.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 10. A system for authenticating users in accordance with claim 9, wherein said authentication system is configured to:
    - determine a numerical score for each of a plurality of different biometric comparison matches, wherein each numerical score is based on a quality of corresponding biometric comparison matches;
      
      calculate a confidence score by combining the numerical scores; and
      
      authenticate the workstation user as the one authorized user when the confidence score is at least equal to a predetermined threshold value.
  - 11. A system for authenticating users in accordance with claim 9, wherein said communications device and said authentication system are configured to communicate with each other to repeatedly capture the biometric authentication data and repeatedly compare the captured biometric authentication data against the biometric authentication data of the one authorized user, when the at least one transaction is pending.
  - 12. A system for authenticating users in accordance with claim 9, wherein said server is further configured to:
    - generate the first configurable policy by associating each of a plurality of transactions with a corresponding one of a plurality of levels of risk;
      
      store the first configurable policy in said database;
      
      compare the at least one transaction against the first configurable policy to determine the level of risk associated with the at least one transaction, wherein the at least one transaction is included in the plurality of transactions; and
      
      determine that access to the protected resource is required when the level of risk associated with the at least one transaction is greater than a lowest level of risk.
  - 13. A system for authenticating users in accordance with claim 9, wherein said authentication system is further configured to:
    - extract a level of risk from the authentication request; and
      
      determine a biometric authentication data requirement of the extracted level of risk by consulting the authentication policy, wherein the authentication policy includes policy levels of risk associated with biometric authentication data requirements, comparing the extracted level of risk against the policy levels of risk, and determining the biometric authentication data requirement to be the biometric authentication data requirement that corresponds to the policy level of risk that matches the extracted level of risk.
  - 14. A system for authenticating users in accordance with claim 13, wherein said authentication system is further configured to:
    - define risk factors and associate each of a plurality of level of risk adjustments with an appropriate risk factor; and
      
      adjust the extracted level of risk in accordance with one of the level of risk adjustments prior to determining the biometric authentication requirement.
  - 15. A system for authenticating users in accordance with claim 9, wherein said communications device is not configured to store the captured biometric data, is not configured to authenticate workstation users as authorized users, and is not configured to generate the one-time pass-phrase.
  - 16. A system for authenticating users in accordance with claim 9, wherein when said authentication system verifies that the at least one transaction is pending:
    - said communications device is configured to display the plurality of transactions such that the workstation user can choose one of the plurality of transactions to conduct;
      
      said server system is configured to determine the level of risk of the chosen transaction; and
      
      said authentication system is configured to determine the biometric authentication data requirement of the chosen transaction.
  - 17. A system for authentication users in accordance with claim 9, wherein when said authentication system verifies that the at least one transaction is pending:
    - said communications device is configured to display the plurality of transactions;
      
      said server system is configured to determine the level of risk of each of the plurality of transactions, and compare the determined levels of risk to determine a greatest level of risk; and
      
      said authentication system is further configured to determine a biometric authentication data requirement for the greatest level of risk, and include the biometric authentication data requirement in a subsequent biometric authentication data capture request.
  - 18. A system for authenticating users in accordance with claim 9, wherein said authentication system is further configured to include a request for global positioning system coordinates of said communications device in the biometric authentication data request.

19. A method of authenticating users to reduce transaction risks, said method comprising:
- storing biometric authentication data ad personal data for each of a plurality of authorized users in an authentication system, and storing protected resources in a server, wherein each of the protected resources is associated with a corresponding one of the plurality of authorized users, the authentication system is different than the server, and the server is included in a first communications channel;
  
  indicating a desire to conduct at least one transaction, determining whether the desired at least one transaction requires access to the protected resources and when the at least one transaction requires access to protected resources, inputting information at a workstation, wherein a workstation user performs said indicating and inputting operations at the workstation;
  
  determining whether the inputted information is known and determining a state of a communications device when the inputted information is known;
  
  determining a level of risk for the at least one transaction, and transmitting an authentication request including the level of risk from the server over the first communications channel to the authentication system when the state of the communications device is enrolled;
  
  determining an authentication capture level corresponding to a biometric authentication data requirement for the at least one transaction, and transmitting a biometric authentication data capture request to the communications device, wherein the biometric authentication data capture request includes at least the biometric authentication capture level;
  
  invoking a capture level security application in the communications device and inputting the authentication capture level in the communications device such that the communications device displays the biometric authentication data requirement for the at least one transaction;
  
  validating the communications device and verifying that the communications device is enrolled;
  
  capturing biometric authentication data in accordance with the biometric authentication capture request from the workstation user with the communications device, and transmitting the captured biometric authentication data from the communications device to the authentication system over the second communications channel, when the at least one transaction is pending;
  
  comparing the captured biometric authentication data against biometric authentication data of the one authorized user stored in the authentication system; and
  
  granting access to the protected resources of the one authorized user when the captured biometric data and the biometric authentication data of the one authorized user match.
- View Dependent Claims (20)
- - 20. The method of authenticating users in accordance with claim 19, said comparing operation further comprising:
    - generating a one-time pass-phrase, storing the one-time pass-phrase on the authentication system and transmitting the one-time pass-phrase to the communications device over the second communications channel when the workstation user is authenticated as the one authorized user;
      
      obtaining the one-time pass-phase from the communications device and entering the one-time pass-phrase into the workstation;
      
      transmitting the one-time pass-phrase from the workstation to the authentication system over the first communications channel and comparing the transmitted one-time pass-phrase against the stored one-time pass-phrase; and
      
      granting access to the protected resources when the transmitted and stored one-time pass-phrases match.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Corporation DAON Technology
Original Assignee
Daon Holdings Limited
Inventors
White, Conor, Peirce, Michael, Cramer, Jason, Steiner, Chet, Diebes, Suzanna

Granted Patent

US 8,443,202 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/004
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/00   Administration; Management

G06Q 20/4016   involving fraud or risk lev...

G06Q 30/06   Buying, selling or leasing ...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/08   for authentication of entit...

H04L 63/0861   using biometrical features,...

H04L 63/123   received data contents, e.g...

H04L 9/3228   One-time or temporary data,...

H04L 9/3231   Biological data, e.g. finge...

METHODS AND SYSTEMS FOR AUTHENTICATING USERS

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

169 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR AUTHENTICATING USERS

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

169 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links