ONE-TIME USE PASSWORD SYSTEMS AND METHODS

US 20110276495A1
Filed: 05/09/2011
Published: 11/10/2011
Est. Priority Date: 05/10/2010
Status: Active Grant

First Claim

Patent Images

1. A method of using a one-time password for a transaction between a user and a merchant, comprising:

generating the one-time password;

authenticating the user by the authentication server in response to a request from the user to use the one-time password;

authorizing the use of the one-time password for the transaction in response to authenticating the user by the authentication server;

using the one-time password in combination with an account number to settle the transaction between the user and the merchant;

sending a message to the authentication server originating from the merchant, wherein the message comprises the one-time password, and wherein the message requests a determination whether the one-time password is authorized for use in the transaction; and

sending a message to the merchant originating from the authentication server, wherein the message includes a determination whether the transaction should be approved in response to the authentication server determining whether the one-time password is authorized for use in the transaction.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to the invention, a method of using a one-time password for a transaction between a user and a merchant is disclosed. The method may include generating the one-time password. The method may also include authenticating the user by the authentication server in response to a request from the user to use the one-time password. The method may further include authorizing the use of the one-time password for the transaction in response to authenticating the user by the authentication server. The method may moreover include using the one-time password in combination with an account number to settle the transaction between the user and the merchant. The method may additionally include sending a message to the authentication server originating from the merchant, wherein the message comprises the one-time password, and wherein the message requests a determination whether the one-time password is authorized for use in the transaction. The method may also include sending a message to the merchant originating from the authentication server, wherein the message includes a determination whether the transaction should be approved in response to the authentication server determining whether the one-time password is authorized for use in the transaction.

147 Citations

50 Claims

1. A method of using a one-time password for a transaction between a user and a merchant, comprising:
- generating the one-time password;
  
  authenticating the user by the authentication server in response to a request from the user to use the one-time password;
  
  authorizing the use of the one-time password for the transaction in response to authenticating the user by the authentication server;
  
  using the one-time password in combination with an account number to settle the transaction between the user and the merchant;
  
  sending a message to the authentication server originating from the merchant, wherein the message comprises the one-time password, and wherein the message requests a determination whether the one-time password is authorized for use in the transaction; and
  
  sending a message to the merchant originating from the authentication server, wherein the message includes a determination whether the transaction should be approved in response to the authentication server determining whether the one-time password is authorized for use in the transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the account number comprises a debit card number, and the one-time password comprises a PIN associated with the debit card number.
  - 3. The method of claim 1, wherein the account number comprises a credit card number, and the one-time password comprises a card security code associated with the credit card number.
  - 4. The method of claim 1, wherein generating the one-time password comprises a function of one or more transaction data.
  - 5. The method of claim 1, wherein generating the one-time password comprises a device of the user generating the one-time password.
  - 6. The method of claim 1, wherein generating the one-time password comprises an issuer server generating the one-time password.
  - 7. The method of claim 1, wherein generating the one-time password comprises the authentication server generating the one-time password.
  - 8. The method of claim 1, wherein authenticating the user by the authentication server in response to a request from the user comprises:
    - signing a challenge by a device of the user to create a signed challenge;
      
      sending an authentication message originating from the device of the user to the authentication server via a secure communication channel, wherein the authentication message includes the signed challenge; and
      
      using the signed challenge by the authentication server to authenticate the user.
  - 9. The method of claim 8, wherein signing a challenge by a device of the user to create a signed challenge comprises:
    - receiving a user access code by the device of the user;
      
      using at least the user access code to retrieve a private key from a key wallet, wherein the key wallet is configured to output a key having the appearance of the private key for at least one access code not equaling the user access code; and
      
      creating the signed challenge by encrypting the challenge with the private key.
  - 10. The method of claim 8, wherein the authentication message further comprises:
    - a public key associated with the user, wherein the public key is encrypted using a key known only to the authentication server.
  - 11. The method of claim 8, wherein using the signed challenge by the authentication server to authenticate the user comprises:
    - decrypting a public key associated with the user using a key known only to the authentication server;
      
      decrypting the signed challenge using the public key to create a decrypted challenge;
      
      comparing the decrypted challenge to the challenge; and
      
      authenticating the user in response to a determination that the decrypted challenge equals the challenge.
  - 12. The method of claim 1, wherein using the one-time password in combination with an account number as a part of the transaction comprises a device of the user wirelessly transmitting the one-time password to a device of the merchant.
  - 13. The method of claim 1, wherein using the one-time password in combination with an account number to settle the transaction comprises:
    - the device of the user transmitting the account number to a device of the merchant.

14. A method of using a one-time password for a transaction by a user, comprising:
- requesting authorization from an authentication server to use the one-time password in the transaction;
  
  signing a challenge to create a signed challenge; and
  
  sending the signed challenge to the authentication server to authenticate the user and authorize the use of the one-time password in the transaction.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The method of claim 14, further comprising generating the one-time password and sending the one-time password to the authentication server.
  - 16. The method of claim 14, further comprising receiving the one-time password from the authentication server.
  - 17. The method of claim 14, further comprising a device of the user generating the challenge, such that the authentication server can generate a substantially similar challenge.
  - 18. The method of claim 14, further comprising receiving the challenge from the authentication server.
  - 19. The method of claim 14, wherein the challenge is comprised of at least a part of the one-time password.
  - 20. The method of claim 14, wherein communication between the authentication server and the user passes through an issuer server.
  - 21. The method of claim 14, wherein signing the challenge to create a signed challenge comprises:
    - the user supplying a user access code to a device of the user;
      
      using at least the user access code to retrieve a private key from a key wallet, wherein the key wallet is configured to output a key having the appearance of the private key for at least one access code not equaling the user access code; and
      
      creating the signed challenge by encrypting the challenge with the private key.
  - 22. The method of claim 14, wherein sending the signed challenge to the authentication server further comprises sending a public key that is encrypted using a key known only to the authentication server.
  - 23. The method of claim 14, further comprising a device of the user displaying the one-time password for the user to read.
  - 24. The method of claim 14, further comprising a device of the user transmitting the one-time password to a device of a merchant.
  - 25. The method of claim 14, further comprising transmitting an account number to a device of the merchant.

26. A method of processing a password and an account number by an issuer server, the password and account number being used in a transaction, the method comprising:
- receiving the password and the account number from a device of a merchant as part of the transaction;
  
  in response to receiving the password and the account number, associating the account number with an account of a customer of the issuer server;
  
  determining whether the password is a one-time password;
  
  in response to a determination that the password is a one-time password, sending the password to an authentication server to verify that the password is authorized for the transaction;
  
  receiving a determination from the authentication server as to whether the password is authorized for use in the transaction by an authenticated user; and
  
  in response to the determination from the authentication server as to whether the password is authorized, sending the device of the merchant a determination as to whether the transaction should be approved.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The method of claim 26, further comprising restricting use of the account in future transactions after a predetermined number of failed authorization attempts.
  - 28. The method of claim 26, wherein communication between the device of the merchant and issuer server passes through an acquirer server.
  - 29. The method of claim 26, wherein communication between the device of the merchant and issuer server passes through a payment network.
  - 30. The method of claim 26, further comprising:
    - receiving an authorization request to use the one-time password in the transaction from a user, and sending the authorization request to the authentication server.

31. A method of authorizing a one-time password by an authentication server to be used in a transaction by a user, comprising:
- receiving a request originating from a device of the user to authorize the one-time password;
  
  sending a challenge via a secure communication channel to the device of the user to authenticate the user;
  
  receiving a signed challenge originating from the device of the user via a secure communication channel;
  
  determining whether the user is authentic; and
  
  authorizing the one-time password for use in the transaction in response to a determination that the user is authentic.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38)
- - 32. The method of claim 31, further comprising:
    - receiving a request originating from an issuer server to determine if the one-time password has been authorized for use in the transaction; and
      
      in response to a determination that the one-time password is authorized for use, sending a notification to the issuer server that the one-time password is authorized.
  - 33. The method of claim 31, further comprising:
    - in response to a determination that the one-time password is authorized for use, sending a notification to the issuer server that the one-time password is authorized.
  - 34. The method of claim 31, further comprising restricting the user'"'"'s access to future one-time password authorization if the user is determined not to be authentic after a predetermined number of failed authentication attempts.
  - 35. The method of claim 31, further comprising receiving the one-time password in a message originating from the user.
  - 36. The method of claim 31, further comprising generating the one-time password and sending it to the user.
  - 37. The method of claim 31, wherein the step of receiving a signed challenge originating from the device of the user via a secure communication channel further comprises receiving a public key this is encrypted with a key known only to the authentication server.
  - 38. The method of claim 37, wherein the step of determining whether the user is authentic comprises:
    - decrypting the public key using the key known only to the authentication server;
      
      decrypting the signed challenge using the public key to create a decrypted challenge;
      
      determining whether the decrypted challenge matches the challenge; and
      
      determining that the user is authentic in response to determining that the decrypted challenge matches the challenge.

39. A system for using a one-time password in a transaction, comprising:
- a device of a user;
  
  a device of a merchant configured to receive the one-time password and an account number from the device of the user;
  
  an authentication server configured to receive a request originating from the device of the user to authorize the one-time password for use in the transaction;
  
  an issuer server configured to communicate with the device of the merchant to determine whether the one-time password is authorized for use in the transaction, and configured to communicate with the authentication server to determine whether the one-time password is authorized for use in the transaction; and
  
  wherein the authentication server is configured to communicate with the issuer server to determine whether the one-time password is authorized for use in the transaction.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46)
- - 40. The system of claim 39, further comprising:
    - an acquirer server configured to communicate with the device of the merchant to authorize the transaction using the one-time password;
      
      a payment network configured to communicate with the acquirer server to authorize the transaction using the one-time password, and configured to communicate with the issuer server to authorize the transaction using the one-time password; and
      
      wherein the acquirer server is configured to communicate with the payment network to authorize the transaction using the one-time password.
  - 41. The system of claim 39, wherein the device of the user comprises a key wallet configured to:
    - securely store at least a private key in encrypted form;
      
      accept a user access code;
      
      decrypt and output at least the private key in response to a correct user access code; and
      
      output a key having the appearance of the private key for at least one user access code not equaling the correct user access code.
  - 42. The system of claim 41, wherein the device of the user is further configured to:
    - sign a challenge using the private key to create a signed challenge; and
      
      send to the authentication server the signed challenge and a public key that is paired with the private key, wherein the public key is encrypted using a key known only to the authentication server.
  - 43. The system of claim 39, wherein the authentication server is further configured to:
    - receive a public key that has been encrypted using a key known only to the authentication server;
      
      receive an signed challenge that has been signed using a private key that is paired with the public key;
      
      decrypt the public key using the key known only to the authentication server;
      
      decrypt the signed challenge using the public key to create a decrypted challenge; and
      
      determine if the decrypted challenge matches a previously defined challenge.
  - 44. The system of claim 39, wherein the device of the merchant is configured to receive the one-time password from the user by a user receiving the one-time password from the device of the user and manually entering the one-time password into the device of the merchant.
  - 45. The system of claim 39, wherein the device of the merchant is configured to receive the one-time password from the device of the user by the device of the user transmitting the one-time password to the device of the merchant.
  - 46. The system of claim 39, wherein the device of the merchant is configured to receive the account number from the device of the user by the device of the user transmitting the account number to the device of the merchant.

47. A computer program product on a machine-readable medium for an issuer server including a processor, comprising:
- code that directs the processor to receive a message originating from a device of a merchant, the message comprising a password and an account number;
  
  code that directs the processor to associate the account number with an account of a customer of the issuer server;
  
  code that directs the processor to determine whether the password is a one-time password;
  
  code that directs the processor to send a message comprising the password to an authentication server to determine whether the password is authorized as a one-time password for the transaction;
  
  code that directs the processor to receive a message from the authentication server indicating whether the one-time password is authorized by an authenticated user; and
  
  code that directs the processor to send a message to the merchant including a determination whether the transaction is approved.
- View Dependent Claims (48, 49, 50)
- - 48. The computer program product of claim 47, further comprising code that directs the processor to restrict access to the account in future transactions after a predetermined number of failed authorization attempts.
  - 49. The computer program product of claim 47, wherein the code that directs the processor to communicate with the device of the merchant sends and receives messages through an acquirer server.
  - 50. The computer program product of claim 47, wherein the code that directs the processor to communicate with the device of the merchant sends and receives messages through a payment network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Malpani, Ambarish, Varadarajan, Rammohan

Granted Patent

US 9,665,868 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/71
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 2221/2103   Challenge-response

G06Q 20/382   insuring higher security of...

G06Q 20/3829   involving key management

G06Q 20/385   using an alias or single-us...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4014   Identity check for transact...

H04L 2209/56   Financial cryptography, e.g...

H04L 2463/062   applying encryption of the ...

H04L 63/0838   using one-time-passwords

H04L 9/0822   using key encryption key

H04L 9/321   involving a third party or ...

H04L 9/3228   One-time or temporary data,...

H04L 9/3271   using challenge-response

ONE-TIME USE PASSWORD SYSTEMS AND METHODS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

147 Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

ONE-TIME USE PASSWORD SYSTEMS AND METHODS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

147 Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links