Method, system and program product for authenticating a user seeking to perform an electronic service request

US 8,424,061 B2
Filed: 09/12/2006
Issued: 04/16/2013
Est. Priority Date: 09/12/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A processor-implemented method for authenticating a user seeking to perform at least one electronic service request, said method comprising the steps of:

verifying, by a processor, user identity data received from a user requesting at least one electronic service from a plurality of electronic services;

identifying, by the processor, a risk level for said at least one electronic service requested by said user, wherein identification of said risk level is based on a set of user profile data associated with said user;

storing, by the processor, a static challenge that comprises at least one of a plurality of subjective questions for said user, wherein said at least one subjective question requests a subjective answer that is based on a subjective opinion, about said user, from said user;

storing, by the processor, a dynamic challenge that comprises at least one of a plurality of objective questions for said user, wherein said at least one of said plurality of objective questions requests an objective answer that is based on a past financial transaction between said user and a financial institution;

issuing to said user, using a customer relationship management system, a challenge corresponding to said risk level identified for said at least one electronic service requested, wherein said challenge is either said static challenge if said risk level is determined to be low or said dynamic challenge if said risk level is determined to be high, wherein only one of said static challenge or said dynamic challenge is issued based on said risk level of said user, and wherein said issuing further comprises;

checking a set of user profile data associated with said user;

detecting whether or not any variances are found based on said set of user profile data associated with said user; and

identifying a risk level for said at least one electronic service request received based on whether or not said any variances are found; and

authorizing said at least one electronic service requested only if a correct response is received to either said static challenge or said dynamic challenge.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and program product for authenticating a user seeking to perform an electronic service request is provided. The method includes verifying user identity data received from a user requesting an electronic service, detecting whether or not any variances are found based on the set of user profile data associated with the user seeking to perform the electronic service requested, identifying the risk level for the electronic service based on whether or not any variances are found and any characteristics thereof, if any variances are found, applying one or more business policies or rules for handling any variances that are found. The method further includes issuing to the user, using a customer relationship management system, a challenge corresponding to the risk level identified for the electronic service requested, and authorizing the user to perform the electronic service requested only if a correct response is received to the challenge issued.

Citations

22 Claims

1. A processor-implemented method for authenticating a user seeking to perform at least one electronic service request, said method comprising the steps of:
- verifying, by a processor, user identity data received from a user requesting at least one electronic service from a plurality of electronic services;
  
  identifying, by the processor, a risk level for said at least one electronic service requested by said user, wherein identification of said risk level is based on a set of user profile data associated with said user;
  
  storing, by the processor, a static challenge that comprises at least one of a plurality of subjective questions for said user, wherein said at least one subjective question requests a subjective answer that is based on a subjective opinion, about said user, from said user;
  
  storing, by the processor, a dynamic challenge that comprises at least one of a plurality of objective questions for said user, wherein said at least one of said plurality of objective questions requests an objective answer that is based on a past financial transaction between said user and a financial institution;
  
  issuing to said user, using a customer relationship management system, a challenge corresponding to said risk level identified for said at least one electronic service requested, wherein said challenge is either said static challenge if said risk level is determined to be low or said dynamic challenge if said risk level is determined to be high, wherein only one of said static challenge or said dynamic challenge is issued based on said risk level of said user, and wherein said issuing further comprises;
  
  checking a set of user profile data associated with said user;
  
  detecting whether or not any variances are found based on said set of user profile data associated with said user; and
  
  identifying a risk level for said at least one electronic service request received based on whether or not said any variances are found; and
  
  authorizing said at least one electronic service requested only if a correct response is received to either said static challenge or said dynamic challenge.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, further comprising the steps of:
    - monitoring any additional electronic service requested by said user;
      
      issuing to said user another challenge based on said any additional electronic service requested, said another challenge corresponding to a risk level identified for said any additional electronic service requested; and
      
      authorizing said user to conduct said any additional electronic service requested only if a correct response is received to said another challenge.
  - 3. The method according to claim 1, wherein said verifying step comprises the steps of:
    - receiving said user identity data comprising a username and a password; and
      
      authenticating said user identity data received using an authentication engine.
  - 4. The method according to claim 1, wherein said detecting step further comprises the step of:
    - if said any variances are found, applying, using a business rules engine, one or more rules for handling said any variances that are found, such that said at least first challenge issued corresponds to said risk level identified for said at least one electronic service requested.
  - 5. The method according to claim 1, wherein said static challenge is created by said user during registration with a host system for said at least one electronic service, and wherein said dynamic challenge is created by a data/analytics system based on monitored behavior of said user over a course of time.
  - 6. The method according to claim 1, wherein said subjective answer comprises an indeterminate frequency of a sporting activity by said user during a predetermined annual season.
  - 7. The method according to claim 1, further comprising:
    - determining if a variance has occurred, wherein the variance is an unusual present user behavior, compared with typical past user behavior, that is exhibited by said user when requesting access to said at least one electronic service, and wherein said unusual present user behavior is said user logging into said at least one electronic service from a different location and a different time than a usual location and time for previous log ins by said user to said at least one electronic service; and
      
      issuing said static challenge or said dynamic challenge based on characteristics of any variances found, any business rules and policies that are applicable, and an assessment of risk level for said at least one electronic service requested.

8. A system for authorizing a user to execute one or more electronic service requests, comprising:
- an authentication module configured to authenticate user identity data received from a user seeking access to a host for executing one or more electronic service requests, said authentication module being configured to grant access to said host upon authentication of said user identity data; and
  
  a fraud detection module configured to monitor each electronic service request of said one or more electronic service requests received from said user having access granted to said host, said fraud detection module being configured to identify a risk level for said each electronic service request received from said user and to generate a challenge for said each electronic service request received from said user, said challenge corresponding to said risk level identified and corresponding to any associated business policies that may apply, such that said challenge generated is issued to said user by said authentication module, which authorizes said user to perform said each electronic service request if a correct response is received to said challenge issued, wherein said issuing comprises checking a set of user profile data associated with said user;
  
  detecting whether or not any variances are found based on said set of user profile data associated with said user; and
  
  identifying a risk level for said each electronic service request received based on whether or not said any variances are found, wherein said challenge is a static challenge if said risk level is determined to be low, wherein said challenge is a dynamic challenge if said risk level is determined to be high, wherein said static challenge comprises at least one of a plurality of subjective questions for said user, wherein said at least one of said plurality of subjective questions requests a subjective answer that is based on a subjective opinion, about said user, from said user, and wherein only one of said static challenge and said dynamic challenge is issued based on said risk level of said user.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system according to claim 8, wherein said challenge issued is chosen from a challenge group comprising at least one of:
    - a user-preset challenge group and a customer relationship management challenge group;
      
      wherein said user-preset challenge group comprises one or more challenges that are preset by said user; and
      
      wherein said customer relationship management challenge group comprises one or more challenges that are generated using a customer relationship management system.
  - 10. The system according to claim 9, wherein as said risk level identified for said each electronic service requested increases, a level of strength of any resulting authorization associated with said challenge issued to said user for said each electronic service request received increases.
  - 11. The system according to claim 10, wherein said challenge chosen from said user-preset challenge group corresponds to a relatively low risk level identified for said each electronic service;
    - and wherein said challenge chosen from said customer relationship management challenge group corresponds to a relatively high risk level identified for said each electronic service, wherein the relatively low risk level is lower than the relatively high risk level.
  - 12. The system according to claim 8, wherein said authentication module further comprises:
    - a policy module configured to apply one or more business policies for handling said risk level associated with said any variances detected.

13. A computer program product for authenticating a user, said computer program product comprising:
- a non-transitory computer readable medium;
  
  first program instructions to verify user identity data received from a user requesting at least one of a plurality of electronic services;
  
  second program instructions to identify a risk level for said at least one of said plurality of electronic services requested by said user, wherein identification of said risk level is based on a set of user profile data associated with said user;
  
  third program instructions to establish a static challenge that comprises at least one of a plurality of subjective questions for said user, wherein said at least one subjective question requests a subjective answer that is based on a subjective opinion, about said user, from said user;
  
  fourth program instructions to establish a dynamic challenge that comprises at least one of a plurality of objective questions for said user, wherein said at least one objective question requests an objective answer that is based on a past financial transaction between said user and a financial institution;
  
  fifth program instructions to issue to said user, using a customer relationship management system, a challenge corresponding to said risk level identified for said at least one electronic service requested, wherein said challenge is either said static challenge if said risk level is determined to be low or said dynamic challenge if said risk level is determined to be high, wherein only one of said static challenge and said dynamic challenge is issued based on said risk level of said user, and wherein said fifth program instructions further comprise instructions to check a set of user profile data associated with said user;
  
  detect whether or not any variances are found based on said set of user profile data associated with said user; and
  
  identify a risk level for said at least one electronic service request received based on whether or not said any variances are found; and
  
  sixth program instructions to authorize said at least one electronic service requested only if a correct response is received to either said static challenge or said dynamic challenge; and
  
  wherein said first, second, third, fourth, fifth, and sixth program instructions are stored on said non-transitory computer readable medium.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer program product according to claim 13, wherein said first program instructions include instructions to receive said user identity data comprising a username and a password and to authenticate said user identity data.
  - 15. The computer program product according to claim 13, wherein if said any variances exist, said second program instructions include instructions to apply one or more business policies for handling said any variances that are found, such that said challenge issued to said user corresponds to said risk level identified for said at least one electronic service requested.
  - 16. The computer program product according to claim 15, wherein said static challenge group comprises one or more static challenges that are preset by said user;
    - and wherein said dynamic challenge group comprises one or more dynamic challenges that are generated using a customer relationship management system.
  - 17. The computer program product according to claim 13, further comprising:
    - seventh program instructions to determine if a variance has occurred, wherein a variance is an unusual present user behavior, compared with typical past user behavior, that is exhibited by said user when requesting access to said at least one electronic service; and
      
      eighth program instructions to issue said static challenge or said dynamic challenge based on characteristics of any variances found, any business rules and policies that are applicable, and an assessment of risk level for said at least one electronic service requested, and wherein said seventh and eighth program instructions are stored on said non-transitory computer readable medium.

18. A process for deploying computing infrastructure comprising integrating computer-readable code into a computing system, wherein said code in combination with said computing system is capable of performing a process for authenticating a user seeking access to a server for executing at least one electronic service, said process comprising:
- authenticating, by a processor, user identity data received from a user seeking access to a host server to execute at least one electronic service;
  
  receiving, by the processor, a request from said user for said at least one electronic service;
  
  issuing, by the processor, to said user at least a first challenge corresponding to said at least one electronic service request received, said first challenge being selected from either a user-preset challenge group or a customer relationship management challenge group, wherein said first challenge is a static challenge if a risk level for accessing said at least one electronic service is determined to be low, and wherein said first challenge is a dynamic challenge if said risk level for accessing said at least one electronic service is determined to be high, wherein said static challenge comprises at least one of a plurality of subjective questions for said user, wherein said at least one subjective question requests a subjective answer that is based on a subjective opinion, about said user, from said user, and wherein only one of said static challenge or said dynamic challenge is issued based on said risk level of said user, and wherein said issuing further comprises;
  
  checking a set of user profile data associated with said user;
  
  detecting whether or not any variances are found based on said set of user profile data associated with said user; and
  
  identifying a risk level for said at least one electronic service request received based on whether or not said any variances are found; and
  
  authorizing, by the processor, said at least one electronic service request if a correct response is received to said at least first challenge issued.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The process according to claim 18, wherein said detecting step further comprises the step of:
    - if said any variances are found, applying, using a business policies engine, one or more policies for handling said any variances that are found, such that said at least first challenge issued corresponds to said risk level identified for said at least one electronic service request received in light of said any variances found.
  - 20. The process according to claim 19, wherein said user-preset challenge group comprises one or more static challenges that are preset by said user;
    - and wherein said customer relationship management challenge group comprises one or more dynamic challenges that are generated using a customer relationship management system.
  - 21. The process according to claim 20, wherein as said risk level identified for said at least one electronic service request received increases, a level of complexity associated with said challenge issued to said user for said at least one electronic service request received increases.
  - 22. The process according to claim 18, further comprising:
    - determining if a variance has occurred, wherein a variance is an unusual present user behavior, compared with typical past user behavior, that is exhibited by said user when requesting access to said at least one electronic service; and
      
      issuing said static challenge or said dynamic challenge based on characteristics of any variances found, any business rules and policies that are applicable, and an assessment of risk level for said at least one electronic service requested.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Rosenoer, Jonathan M. C.
Primary Examiner(s)
Mehedi, Morshed

Application Number

US11/519,746
Publication Number

US 20080066165A1
Time in Patent Office

2,408 Days
Field of Search

726/4, 726165-166, 705/38
US Class Current

726/4
CPC Class Codes

G06F 16/258   Data format conversion from...

G06F 21/40   by quorum, i.e. whereby two...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/205   involving negotiation or de...

H04L 9/3226   using a predetermined code,...

H04L 9/3271   using challenge-response

Method, system and program product for authenticating a user seeking to perform an electronic service request

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method, system and program product for authenticating a user seeking to perform an electronic service request

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links