Secure, confidential authentication with private data

US 7,676,433 B1
Filed: 03/21/2006
Issued: 03/09/2010
Est. Priority Date: 03/24/2005
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating the identity of a user, in connection with a requested transaction between the user and a target vendor of goods or services, leveraging selected private data of the user without disclosing the private data to the vendor, the method comprising the steps of:

maintaining a database of obfuscated private data associated with a user identifier;

receiving an identity verification request from the target vendor, the verification request including a user identifier;

issuing a KBA—

knowledge-based authentication—

challenge to a user associated with the received user identifier, the challenge requesting that the user submit at least one specified element of the private data stored in the database;

receiving a response from the user including purported private data responsive to challenge;

if the received purported private data is not obfuscated, obfuscating the purported private data in the same manner as the obfuscated private data is maintained in the database;

comparing the obfuscated purported private data to the corresponding obfuscated private data stored in the database; and

returning a result of the comparison to the target vendor without disclosing the stored private data in clear form;

whereinthe foregoing method steps are carried out by a trusted, independent verification service;

the verification service receives the private data from a third-party in obfuscated form and maintains it in the database in that obfuscated form; and

the verification service receives the purported private data from the user in obfuscated form, so that the verification service has no access to the private data in clear form.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Risk of personal identity theft, especially in connection with on-line commerce, is mitigated by maintaining private data in a secure database maintained by a trusted third party verification service. To authenticate the identity of a user or customer, in one embodiment, a knowledge-based challenge is issued to the user, and the response is compared to stored data by the verification service. The verification service reports to the vendor, to authenticate the user identity, capability and or authorization for the proposed transaction without disclosing private data to the vendor.

Citations

21 Claims

1. A method of authenticating the identity of a user, in connection with a requested transaction between the user and a target vendor of goods or services, leveraging selected private data of the user without disclosing the private data to the vendor, the method comprising the steps of:
- maintaining a database of obfuscated private data associated with a user identifier;
  
  receiving an identity verification request from the target vendor, the verification request including a user identifier;
  
  issuing a KBA—
  
  knowledge-based authentication—
  
  challenge to a user associated with the received user identifier, the challenge requesting that the user submit at least one specified element of the private data stored in the database;
  
  receiving a response from the user including purported private data responsive to challenge;
  
  if the received purported private data is not obfuscated, obfuscating the purported private data in the same manner as the obfuscated private data is maintained in the database;
  
  comparing the obfuscated purported private data to the corresponding obfuscated private data stored in the database; and
  
  returning a result of the comparison to the target vendor without disclosing the stored private data in clear form;
  
  whereinthe foregoing method steps are carried out by a trusted, independent verification service;
  
  the verification service receives the private data from a third-party in obfuscated form and maintains it in the database in that obfuscated form; and
  
  the verification service receives the purported private data from the user in obfuscated form, so that the verification service has no access to the private data in clear form.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method according to claim 1 wherein the result includes a pass/fail indication based on said comparing the obfuscated purported private data to the corresponding obfuscated private data stored in the database.
  - 3. A method according to claim 1 and further comprising notifying the user of the result of the comparison.
  - 4. A method according to claim 1 and further comprising communicating a KBA challenge message to the user on behalf of the vendor to confirm the user'"'"'s ability to effect the requested transaction.
  - 5. A method according to claim 1 and further comprising communicating a KBA challenge message to the user on behalf of the vendor to confirm the user'"'"'s authority to effect the requested transaction.
  - 6. A method according to claim 1 including providing a server computer coupled to the database of private data;
    - and whereinthe identity verification request is transmitted from the target vendor to the server;
      
      the KBA—
      
      knowledge-based authentication—
      
      challenge is transmitted to the user from the server;
      
      the response to the KBA is transmitted from the user to the server; and
      
      the result is transmitted from the server to the requesting target vendor.
  - 7. A method according to claim 6 wherein the said transmissions of information among the server, the vendor and the user are carried out via a communications network.
  - 8. A method according to claim 6 wherein the said transmissions of information among the server, the vendor and the user are carried out via a computer network.
  - 9. A method according to claim 6 and further comprising returning a result of the comparison from the server to the user.

10. A method of authenticating the identity of a user, in connection with a requested transaction between the user and a target vendor of goods or services, leveraging selected private data of the user without disclosing the private data to the vendor, the method comprising the steps of:
- maintaining a database of obfuscated private data associated with a user identifier;
  
  receiving an identity verification request from the target vendor, the verification request including a user identifier;
  
  issuing a KBA—
  
  knowledge-based authentication—
  
  challenge to a user associated with the received user identifier, the challenge requesting that the user submit at least one specified element of the private data stored in the database;
  
  receiving a response from the user including purported private data responsive to challenge;
  
  if the received purported private data is not obfuscated, obfuscating the purported private data in the same manner as the obfuscated private data is maintained in the database;
  
  comparing the obfuscated purported private data to the corresponding obfuscated private data stored in the database; and
  
  returning a result of the comparison to the target vendor without disclosing the stored private data in clear form;
  
  wherein the result includes a correlation score calculated based on said comparing the obfuscated purported private data to the corresponding obfuscated private data stored in the database.

11. A method of authenticating the identity of a user, in support of a transaction between the user and a target vendor of goods or services, the method comprising the steps of:
- maintaining a database of private data elements associated with a user identifier in the custody of a trusted entity;
  
  receiving an identity verification request from the target vendor, the verification request including a user identifier;
  
  issuing a KBA—
  
  knowledge-based authentication—
  
  challenge to the user associated with the received user identifier, the challenge requesting that the user submit at least one specified element of private data in obfuscated form;
  
  receiving a response from the user including purported private data in obfuscated form;
  
  transmitting the received purported private data to the trusted entity;
  
  at the trusted entity, comparing the purported private data to the corresponding private data elements stored in the database; and
  
  returning a result of the comparison to the target vendor;
  
  wherein;
  
  the foregoing method steps are carried out by a verification service;
  
  the verification service receives the private data from a third-party in obfuscated form and maintains it in the database in that obfuscated form; and
  
  the verification service receives the purported private data from the user in obfuscated form, so that the verification service has no access to the private data in clear form.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. A method according to claim 11 and further comprising:
    - if the result returned to the target vendor authenticates the user'"'"'s identity,receiving from the authenticated user a user-created information string,adding the information string to the database of private data in association with the corresponding user identifier; and
      
      using the stored information string for a subsequent knowledge-based authentication of the user'"'"'s identity.
  - 13. A method according to claim 11 and further comprising:
    - if the result returned to the target vendor confirms the user'"'"'s identity,generating a data string;
      
      storing the generated data string in the database of private data in association with the corresponding user identifier;
      
      communicating the stored data string to the user; and
      
      using the stored data string for a subsequent knowledge-based authentication of the user'"'"'s identity.
  - 14. A method according to claim 11 and including the step of de-obfuscating the purported private data at the trusted entity to form clear purported private data;
    - and wherein said comparing step comprises comparing the clear purported private data to the corresponding private data elements stored in the database.
  - 15. A method according to claim 11 wherein:
    - the private data elements are stored in the database at the trusted entity in obfuscated form; and
      
      said comparing step comprises comparing the obfuscated purported private data to the corresponding obfuscated private data elements stored in the database.
  - 16. A method according to claim 11 wherein the trusted entity maintains current private data of the user in connection with its customer relationship with the user.
  - 17. A method according to claim 11 wherein:
    - the verification service creates a hash table based on the private data; and
      
      said comparing step comprises comparing the user-submitted private data to the corresponding hash table.
  - 18. A method according to claim 11 including providing a server computer under control of the verification service and coupled to the database of private data;
    - and whereinthe identity verification request is transmitted from the target vendor to the verification service server;
      
      the KBA—
      
      knowledge-based authentication—
      
      challenge is transmitted to the user from the verification service server;
      
      the response to the KBA is transmitted from the user to the verification service server; and
      
      the result is transmitted from the verification service server to the requesting target vendor.
  - 19. A method according to claim 11 wherein the said transmissions of information among the server, the vendor and the user are carried out via a communications network.
  - 20. A method according to claim 11 wherein the said transmissions of information among the server, the vendor and the user are carried out via a computer network.

21. A method of verifying authorization of a user to conduct a requested transaction between the user and a target vendor of goods or services, leveraging selected private data of the user without disclosing the private data to the vendor, the method comprising the steps of:
- maintaining a database of obfuscated private data associated with a user identifier, the private data including authorization data;
  
  receiving an authorization verification request from the target vendor, the verification request comprising an obfuscated token that reflects a user identifier and a description of the requested transaction;
  
  comparing the authorization verification request to the authorization data stored in the database in association with the user identifier, without de-obfuscating either the request or the stored authorization data; and
  
  returning a result of the comparison to the target vendor indicating whether or not the requested transaction is consistent with the user'"'"'s authorization data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RAF Software Technology Incorporated
Original Assignee
RAF Technology, Incorporated (Constellation Software Incorporated)
Inventors
Cornell, Bill G., Ross, David Justin
Primary Examiner(s)
SMITH, CREIGHTON H

Application Number

US11/277,133
Time in Patent Office

1,449 Days
Field of Search

713/155, 713/161, 705/44, 705/39
US Class Current

705/39
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/10   specially adapted for elect...

G06Q 20/102   Bill distribution or payments

G06Q 20/105   involving programming of a ...

G06Q 20/12   specially adapted for elect...

G06Q 20/388   using mutual authentication...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 30/06   Buying, selling or leasing ...

G06Q 40/03   Credit; Loans; Processing t...

G06Q 40/04   Trading; Exchange, e.g. sto...

Secure, confidential authentication with private data

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure, confidential authentication with private data

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links