Mobile account authentication service

US 7,707,120 B2
Filed: 02/19/2003
Issued: 04/27/2010
Est. Priority Date: 04/17/2002
Status: Active Grant

First Claim

Patent Images

1. A method by which a trusted party computer authenticates the identity of an account holder during a transaction between said account holder and a requesting party computer, said method comprising:

establishing an online, Internet communication connection between said requesting party computer and an Internet-capable mobile device of said account holder in order to conduct said transaction;

creating a condensed authentication request message at said requesting party computer;

transmitting said condensed authentication request message to said trusted party computer via said mobile device of said account holder;

verifying the identity of said account holder by said trusted party computer using an identity-authenticating token received from said account holder;

creating a condensed authentication response message at said trusted party computer;

transmitting said condensed authentication response message to said requesting party computer via said mobile device of said account holder; and

validating, by said requesting party computer, that said condensed authentication response message indicates that the identity of said account holder is authenticated, whereby the identity of said account holder is authenticated by said trusted party computer for said requesting party computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A payment authentication service authenticates the identity of a payer during online transactions. The authentication service allows a card issuer to verify a cardholder'"'"'s identity using a variety of authentication methods, such as with the use of tokens. Authenticating the identity of a cardholder during an online transaction involves querying an access control server to determine if a cardholder is enrolled in the payment authentication service, requesting a password from the cardholder, verifying the password, and notifying a merchant whether the cardholder'"'"'s authenticity has been verified. Systems for implementing the authentication service in which a cardholder uses a mobile device capable of transmitting messages via the Internet are described. Systems for implementing the authentication service in which a cardholder uses a mobile device capable of transmitting messages through voice and messaging channels is also described.

Citations

50 Claims

1. A method by which a trusted party computer authenticates the identity of an account holder during a transaction between said account holder and a requesting party computer, said method comprising:
- establishing an online, Internet communication connection between said requesting party computer and an Internet-capable mobile device of said account holder in order to conduct said transaction;
  
  creating a condensed authentication request message at said requesting party computer;
  
  transmitting said condensed authentication request message to said trusted party computer via said mobile device of said account holder;
  
  verifying the identity of said account holder by said trusted party computer using an identity-authenticating token received from said account holder;
  
  creating a condensed authentication response message at said trusted party computer;
  
  transmitting said condensed authentication response message to said requesting party computer via said mobile device of said account holder; and
  
  validating, by said requesting party computer, that said condensed authentication response message indicates that the identity of said account holder is authenticated, whereby the identity of said account holder is authenticated by said trusted party computer for said requesting party computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. A method as recited in claim 1 wherein said trusted party computer is operated by an issuer that maintains an account of said account holder, said method further comprising:
    - verifying, by said issuer during a registration process, the identity of said account holder as the owner of said account and designating a registration token for said account; and
      
      comparing said received identity-authenticating token against said registration token previously designated for said account of said account holder, whereby said issuer verifies the identity of said account holder.
  - 3. A method as recited in claim 1 wherein said identity-authenticating token is a password, a response to a question, a cryptogram or a value from a chip card.
  - 4. A method as recited in claim 1 further comprising:
    - transmitting a verification of enrollment request message from said requesting party computer to said trusted party computer wherein said verification of enrollment request message includes an account number of said account holder;
      
      determining, by said trusted party computer, if said account number of said account holder is contained within a list of enrolled account holders who are capable of being authenticated by said trusted party; and
      
      transmitting a verification of enrollment response message from said trusted party computer to said requesting party computer through the Internet wherein said verification of enrollment response message indicates if said account number is contained within said list of enrolled account holders.
  - 5. A method as recited in claim 4 further comprising:
    - including an extension field on said verification of enrollment response message that includes a chain of trusted party digital certificates.
  - 6. A method as recited in claim 1 wherein each of said condensed messages are Internet-based messages that are made up of multiple elements that each have an element name tag, each element name tag having a first tag size, said method further comprising:
    - replacing each of the element name tags with a respective shortened element name tag that has a second tag size, each of the second tag sizes being smaller than its respective first tag size.
  - 7. A method as recited in claim 1 further comprising:
    - reconstructing a complete authentication response message at said requesting party computer by combining said condensed authentication response message with data available at said requesting party computer; and
      
      validating a digital signature of said complete authentication response message to confirm that the identity of said account holder is authenticated.
  - 8. A method as recited in claim 1 wherein said trusted party computer is operated by a financial institution.
  - 9. A method as recited in claim 1 wherein said requesting party computer is operated by an online merchant, wherein said trusted party is operated by a financial institution, wherein said transaction is a financial transaction and wherein said account of said account holder is maintained by said financial institution.
  - 10. A method as recited in claim 1 wherein said mobile device is a WAP telephone and communication between said mobile device and said trusted party computer utilizes a WAP gateway.
  - 11. A method as recited in claim 1 wherein said step of verifying includes:
    - contacting, by said trusted party computer, said mobile device of said account holder using a telephone number of said mobile device and establishing a text message channel or a voice channel; and
      
      receiving said identity-authenticating token from said mobile device over said text message channel or said voice channel, whereby said account holder provides authenticating information to said trusted party computer over a non-Internet connection.
  - 12. A method as recited in claim 1 further comprising:
    - redirecting an Internet browser of said Internet-capable mobile device from a web site of said requesting party computer to said trusted party computer, whereby said trusted party computer receives said identity-authenticating token from said account holder; and
      
      redirecting said Internet browser of said mobile device from said trusted party computer back to said web site of said requesting party trusted party computer.
  - 13. A method as recited in claim 12 further comprising:
    - transmitting said condensed authentication request message and said condensed authentication response message by embedding said messages within markup language forms.
  - 14. A method as recited in claim 1 further comprising:
    - performing said steps of transmitting and said step of verifying without the use of any additional software on said mobile device of said account holder relating to said method of authenticating.
  - 15. A method as recited in claim 1 wherein said step of verifying further includes:
    - said trusted party trusted party computer contacting said account holder to obtain said identity-authenticating token using a messaging or a voice channel of said mobile device.

16. An account authentication system in which a trusted party authenticates the identity of an account holder with respect to an account during a transaction between said account holder and a requesting party, the system comprising:
- an Internet-capable mobile device of said account holder;
  
  a requesting party server configured to communicate online over the Internet with said mobile device of said account holder in order to process said transaction, said requesting party server further configured to create a condensed authentication request message and to transmit said request message to said trusted party via said mobile device;
  
  an access control server controlled by said trusted party and configured to communicate over the Internet with said mobile device of said account holder, said access control server further configured to verify the identity of said account holder using an identity-authenticating token received from said account holder and to create a condensed authentication response message; and
  
  a requesting party software module configured to receive said condensed authentication response message via said mobile device and to validate that said response message indicates that the identity of said account holder is authenticated.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 17. An account authentication system as recited in claim 16 wherein said requesting party software module is further configured to reconstruct a complete authentication response message by combining said condensed authentication response message with data available at said requesting party and to validate a digital signature of said complete authentication response message to confirm that the identity of said account holder is authenticated.
  - 18. An account authentication system as recited in claim 16 wherein said trusted party is an issuer that maintains an account of said account holder, wherein said access control server is further configured to verify during a registration process the identity of said account holder as the owner of said account and to designate a registration token for said account, and wherein said access control server is further configured to receive an identity-authenticating token from said account holder and to authenticate the identity of said account holder based upon a comparison of said registration token with said identity-authenticating token.
  - 19. An account authentication system as recited in claim 16 further comprising:
    - a verification of enrollment response message that indicates if said account holder is enrolled in an authentication service; and
      
      wherein said access control server is configured to transmit said verification of enrollment response message to said requesting party software module through the Internet.
  - 20. A system as recited in claim 19 further wherein said verification of enrollment response message includes an extension field that includes a chain of trusted party digital certificates.
  - 21. An account authentication system as recited in claim 16 wherein said identity-authenticating token is a password, a response to a question, a cryptogram or a value from a chip card.
  - 22. An account authentication system as recited in claim 16 wherein said trusted party is a financial institution and maintains said account of said account holder.
  - 23. An account authentication system as recited in claim 22 wherein said requesting party is an online merchant who conducts a financial transaction with said account holder.
  - 24. A system as recited in claim 16 wherein said mobile device is a WAP telephone, said account authentication system further comprising:
    - a WAP gateway by which said mobile device and said trusted party computer communicate.
  - 25. An account authentication system as recited in claim 16 wherein said Internet-capable mobile device of said account holder includes an Internet browser, said browser arranged to be redirected from said requesting party server to said access control server of said trusted party, whereby said trusted party receives said identity-authenticating token, said Internet browser being further arranged to be redirected from said access control server back to said requesting party server.
  - 26. An account authentication system as recited in claim 25 wherein said condensed authentication request message and said condensed authentication response message are embedded within markup language forms.
  - 27. An account authentication system as recited in claim 16 wherein said Internet-capable mobile device does not including any additional software relating to said account authentication system.
  - 28. An account authentication system as recited in claim 16 wherein said access control server is further configured to receive said identity-authenticating token from said account holder using a messaging or a voice channel of said mobile device.

29. A method by which a trusted party computer authenticates the identity of an account holder during a transaction between said account holder and a requesting party computer, said method comprising:
- conducting said transaction between a mobile telephone of said account holder and said requesting party computer over a first voice channel or by using a first two-way messaging service;
  
  sending an authentication request message from said requesting party computer to said trusted party computer over the Internet, said request message not being routed through said mobile telephone;
  
  establishing communication between said mobile telephone and said trusted party computer over a second voice channel or by using a second two-way messaging service;
  
  transmitting an authenticating token from said account holder to said trusted party computer over said second voice channel or by using said second messaging service;
  
  authenticating, by said trusted party computer, the identity of said account holder using said authenticating token; and
  
  sending an authentication response message from said trusted party computer to said requesting party computer over the Internet, said response message not being routed through said mobile telephone; and
  
  validating, by said requesting party computer, that said authentication response message indicates that the identity of said account holder is authenticated, whereby said trusted party computer authenticates the identity of said account holder for said requesting party computer.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 30. A method as recited in claim 29 wherein said trusted party computer is operated by an issuer that maintains an account of said account holder, said method further comprising:
    - verifying, by said issuer during a registration process, the identity of said account holder as the owner of said account and designating a registration token for said account; and
      
      authenticating, by said trusted party computer, the identity of said account holder based upon a comparison of said registration token with said authenticating token.
  - 31. A method as recited in claim 29 wherein said authenticating token is a password, a PIN, a response to a challenge, a cryptogram or a value from a chip card.
  - 32. A method as recited in claim 29 wherein the operation of sending said authentication request message from said requesting party to said trusted party computer further comprises:
    - constructing a first HTML form containing said authentication request message; and
      
      posting said first HTML form directly to said trusted party computer.
  - 33. A method as recited in claim 32 wherein the operation of sending said authentication response message from said trusted party computer to said requesting party computer further comprises:
    - constructing a second HTML form containing said authentication response message; and
      
      posting said second HTML form directly to said requesting party computer.
  - 34. A method as recited in claim 29 wherein said conducting said transaction uses said first voice channel, wherein said establishing communication uses said second voice channel, said method further comprising:
    - said requesting party computer ending use of said first voice channel before said trusted party computer establishes communication over said second voice channel.
  - 35. A method as recited in claim 29 wherein said sending of authentication request mes sage includessending said authentication request message from said requesting party computer to a proxy server;
    - andforwarding said authentication request message from said proxy server to said access control server, whereby security of said requesting party computer is increased.
  - 36. A method as recited in claim 35 wherein sending of authentication response message includessending said authentication response message from said trusted party computer to said proxy server;
    - andforwarding said authentication response message from said proxy server to said requesting party computer, whereby security of said trusted party computer is increased.
  - 37. A method as recited in claim 29 wherein said first messaging service is SMS or uses USSD, and wherein said second messaging service is SMS or uses USSD.
  - 38. A method as recited in claim 29 further comprising:
    - creating a verification of enrollment request message that includes a query as to said trusted party computer'"'"'s capability to authenticate the identity of said account holder and information regarding the communications protocol used by said mobile telephone of said account holder; and
      
      transmitting said verification of enrollment request message from said requesting party computer to said trusted party computer.
  - 39. A method as recited in claim 38 further comprising:
    - creating a verification of enrollment response message that indicates whether said trusted party computer has the capability to authenticate the identity of said account holder; and
      
      transmitting said verification of enrollment response message from said trusted party computer to said requesting party computer.
  - 40. A method as recited in claim 29 further comprising:
    - initiating an authorization process for said transaction when said authentication response message indicates that the identity of said account holder has been authenticated.

41. An account authentication system in which a trusted party authenticates the identity of an account holder during a transaction between said account holder and a requesting party, said system comprising:
- a mobile telephone of said account holder;
  
  a requesting party server configured to communicate with said account holder in order to process said transaction, said requesting party server further configured to transmit an authentication request message over the Internet to said trusted party;
  
  a first voice channel or first messaging service used between said requesting party server and said mobile telephone of said account holder to process said transaction;
  
  an access control server controlled by said trusted party, said access control server further configured to send an authentication response message to said requesting party over the Internet;
  
  a second voice channel or second messaging service used between said mobile telephone of said account holder and said access control server;
  
  an authenticating token that is transmitted from said account holder to said access control server over said second voice channel or second messaging service, said authenticating token configured to be used by said access control server to authenticate the identity of said account holder; and
  
  a requesting party software module configured to validate that said authentication response message indicates that the identity of said account holder is authenticated.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 42. An account authentication system as recited in claim 41 wherein said authenticating token is a password, a PIN, a response to a challenge, a cryptogram or a value from a chip card.
  - 43. An account authentication system as recited in claim 41 further comprising:
    - a proxy server that routes said authentication request message and said authentication response message between said requesting party server and said access control server, whereby security is increased.
  - 44. An account authentication system as recited in claim 43 further comprising:
    - a verification of enrollment response message that indicates if said trusted party has the capability to authenticate the identity of said account holder, wherein said verification of enrollment response message is transmitted from said trusted party to said requesting party software module, and wherein said verification of enrollment response message includes an extension field that specifies the URL of said proxy server.
  - 45. An account authentication system as recited in claim 41 wherein said trusted party is an issuer that maintains an account of said account holder, wherein said access control server is further configured to verify during a registration process the identity of said account holder as the owner of said account and to designate a registration token for said account, and wherein said access control server is further configured to authenticate the identity of said account holder based upon a comparison of said registration token with said authenticating token.
  - 46. An account authentication system as recited in claim 41 wherein said first messaging service is SMS or uses USSD, and wherein said second messaging service is SMS or uses USSD.
  - 47. An account authentication system as recited in claim 41 further comprising:
    - a verification of enrollment request message that includes a query as to said trusted party'"'"'s capability to authenticate the identity of said account holder and information regarding the communications protocol used by said mobile telephone of said account holder, wherein said verification of enrollment request message is transmitted from said requesting party server to said trusted party.
  - 48. An account authentication system as recited in claim 47 wherein said verification of enrollment request message further includes an extension field that indicates if said authentication request message is to be sent to said access control server directly over the Internet or via said mobile telephone used by said account holder.
  - 49. An account authentication system as recited in claim 47 wherein said verification of enrollment request message further includes a hash of said account holder'"'"'s mobile telephone number, said access control server configured to use said hash to determine if the identity of said account holder can be authenticated.
  - 50. An account authentication system as recited in claim 41 further comprising:
    - a verification of enrollment response message that indicates if said trusted party has the capability to authenticate the identity of said account holder, wherein said verification of enrollment response message is transmitted from said trusted party to said requesting party over the Internet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Reno, James Donald, Dominguez, Benedicto H., Roth, Janet T., Manessis, Thomas J., Caillon, Pascal Achille, Spielman, Jason, Spielman, Terence
Primary Examiner(s)
Elisca; Pierre E

Application Number

US10/370,149
Publication Number

US 20030200184A1
Time in Patent Office

2,624 Days
Field of Search

705/78, 705/30, 705/67, 705/64
US Class Current

705/78
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/0855   involving a third party

G06Q 20/12   specially adapted for elect...

G06Q 20/322   Aspects of commerce using m...

G06Q 20/347   Passive cards

G06Q 20/3674   involving authentication

G06Q 20/382   insuring higher security of...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4014   Identity check for transact...

G06Q 20/425   using two different network...

G06Q 30/0601   Electronic shopping [e-shop...

G06Q 40/12   Accounting

G07F 7/10   together with a coded signa...

G07F 7/1008   Active credit-cards provide...

G07F 7/1025   Identification of user by a...

G07F 7/1075   PIN is checked remotely

H04L 2463/102   applying security measure f...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/083 : using passwords cryptograph...

H04L 63/166 : at the transport layer

H04L 63/18 : using different networks or...

Y04S 40/20 : Information technology spec...

View All

Mobile account authentication service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

50 Claims

Specification

Solutions

Use Cases

Quick Links

Mobile account authentication service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

50 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links