Secure, confidential authentication with private data
First Claim
1. A method of authenticating the identity of a user, in connection with a requested transaction between the user and a target vendor of goods or services, leveraging selected private data of the user without disclosing the private data to the vendor, the method comprising the steps of:
- maintaining a database of obfuscated private data associated with a user identifier;
receiving an identity verification request from the target vendor, the verification request including a user identifier;
issuing a KBA—
knowledge-based authentication—
challenge to a user associated with the received user identifier, the challenge requesting that the user submit at least one specified element of the private data stored in the database;
receiving a response from the user including purported private data responsive to challenge;
if the received purported private data is not obfuscated, obfuscating the purported private data in the same manner as the obfuscated private data is maintained in the database;
comparing the obfuscated purported private data to the corresponding obfuscated private data stored in the database; and
returning a result of the comparison to the target vendor without disclosing the stored private data in clear form;
whereinthe foregoing method steps are carried out by a trusted, independent verification service;
the verification service receives the private data from a third-party in obfuscated form and maintains it in the database in that obfuscated form; and
the verification service receives the purported private data from the user in obfuscated form, so that the verification service has no access to the private data in clear form.
3 Assignments
0 Petitions
Accused Products
Abstract
Risk of personal identity theft, especially in connection with on-line commerce, is mitigated by maintaining private data in a secure database maintained by a trusted third party verification service. To authenticate the identity of a user or customer, in one embodiment, a knowledge-based challenge is issued to the user, and the response is compared to stored data by the verification service. The verification service reports to the vendor, to authenticate the user identity, capability and or authorization for the proposed transaction without disclosing private data to the vendor.
-
Citations
21 Claims
-
1. A method of authenticating the identity of a user, in connection with a requested transaction between the user and a target vendor of goods or services, leveraging selected private data of the user without disclosing the private data to the vendor, the method comprising the steps of:
-
maintaining a database of obfuscated private data associated with a user identifier; receiving an identity verification request from the target vendor, the verification request including a user identifier; issuing a KBA—
knowledge-based authentication—
challenge to a user associated with the received user identifier, the challenge requesting that the user submit at least one specified element of the private data stored in the database;receiving a response from the user including purported private data responsive to challenge; if the received purported private data is not obfuscated, obfuscating the purported private data in the same manner as the obfuscated private data is maintained in the database; comparing the obfuscated purported private data to the corresponding obfuscated private data stored in the database; and returning a result of the comparison to the target vendor without disclosing the stored private data in clear form;
whereinthe foregoing method steps are carried out by a trusted, independent verification service; the verification service receives the private data from a third-party in obfuscated form and maintains it in the database in that obfuscated form; and the verification service receives the purported private data from the user in obfuscated form, so that the verification service has no access to the private data in clear form. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of authenticating the identity of a user, in connection with a requested transaction between the user and a target vendor of goods or services, leveraging selected private data of the user without disclosing the private data to the vendor, the method comprising the steps of:
-
maintaining a database of obfuscated private data associated with a user identifier; receiving an identity verification request from the target vendor, the verification request including a user identifier; issuing a KBA—
knowledge-based authentication—
challenge to a user associated with the received user identifier, the challenge requesting that the user submit at least one specified element of the private data stored in the database;receiving a response from the user including purported private data responsive to challenge; if the received purported private data is not obfuscated, obfuscating the purported private data in the same manner as the obfuscated private data is maintained in the database; comparing the obfuscated purported private data to the corresponding obfuscated private data stored in the database; and returning a result of the comparison to the target vendor without disclosing the stored private data in clear form; wherein the result includes a correlation score calculated based on said comparing the obfuscated purported private data to the corresponding obfuscated private data stored in the database.
-
-
11. A method of authenticating the identity of a user, in support of a transaction between the user and a target vendor of goods or services, the method comprising the steps of:
-
maintaining a database of private data elements associated with a user identifier in the custody of a trusted entity; receiving an identity verification request from the target vendor, the verification request including a user identifier; issuing a KBA—
knowledge-based authentication—
challenge to the user associated with the received user identifier, the challenge requesting that the user submit at least one specified element of private data in obfuscated form;receiving a response from the user including purported private data in obfuscated form; transmitting the received purported private data to the trusted entity; at the trusted entity, comparing the purported private data to the corresponding private data elements stored in the database; and
returning a result of the comparison to the target vendor;
wherein;the foregoing method steps are carried out by a verification service; the verification service receives the private data from a third-party in obfuscated form and maintains it in the database in that obfuscated form; and the verification service receives the purported private data from the user in obfuscated form, so that the verification service has no access to the private data in clear form. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A method of verifying authorization of a user to conduct a requested transaction between the user and a target vendor of goods or services, leveraging selected private data of the user without disclosing the private data to the vendor, the method comprising the steps of:
-
maintaining a database of obfuscated private data associated with a user identifier, the private data including authorization data; receiving an authorization verification request from the target vendor, the verification request comprising an obfuscated token that reflects a user identifier and a description of the requested transaction; comparing the authorization verification request to the authorization data stored in the database in association with the user identifier, without de-obfuscating either the request or the stored authorization data; and returning a result of the comparison to the target vendor indicating whether or not the requested transaction is consistent with the user'"'"'s authorization data.
-
Specification