Methods and systems for authenticating users

US 8,443,202 B2
Filed: 08/05/2009
Issued: 05/14/2013
Est. Priority Date: 08/05/2009
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating users that reduces transaction risks comprising:

indicating a desire to conduct at least one transaction at a workstation and determining whether the at least one transaction requires access to protected resources, such that when the at least one transaction requires access to protected resources information is manually input into the workstation by a workstation user;

determining whether the inputted information is known and determining a state of a communications device when the inputted information is known;

extracting a level of risk from a biometric authentication request transmitted from a server and determining a biometric authentication data requirement corresponding to the extracted level of risk at an authentication system;

generating a biometric authentication data capture request in response to the authentication request, and transmitting the biometric authentication data capture request to the communications device, wherein the communications device is associated with one of a plurality of authorized users and the one authorized user is associated with the inputted information; and

obtaining the biometric authentication data capture request transmission, capturing biometric authentication data in accordance with the biometric authentication data capture request from the workstation user with the communications device, and transmitting the captured biometric authentication data from the communications device to the authentication system.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of authenticating users to reduce transaction risks includes indicating a desire to conduct a transaction and determining whether the transaction requires access to protected resources. Moreover, the method determines whether inputted information is known, determines a state of a communications device when the inputted information is known, and transmits a biometric authentication request from a server to an authentication system when the state of the communications device is enrolled. Additionally, the method includes validating the communications device, capturing biometric authentication data in accordance with a biometric authentication data capture request with the communications device, biometrically authenticating the user, generating a one-time pass-phrase and storing the one-time pass-phrase on the authentication system when the user is authenticated, comparing the transmitted one-time pass-phrase against the stored one-time pass-phrase, and granting access to the protected resources when the transmitted and stored one-time pass-phrases match.

430 Citations

37 Claims

1. A method for authenticating users that reduces transaction risks comprising:
- indicating a desire to conduct at least one transaction at a workstation and determining whether the at least one transaction requires access to protected resources, such that when the at least one transaction requires access to protected resources information is manually input into the workstation by a workstation user;
  
  determining whether the inputted information is known and determining a state of a communications device when the inputted information is known;
  
  extracting a level of risk from a biometric authentication request transmitted from a server and determining a biometric authentication data requirement corresponding to the extracted level of risk at an authentication system;
  
  generating a biometric authentication data capture request in response to the authentication request, and transmitting the biometric authentication data capture request to the communications device, wherein the communications device is associated with one of a plurality of authorized users and the one authorized user is associated with the inputted information; and
  
  obtaining the biometric authentication data capture request transmission, capturing biometric authentication data in accordance with the biometric authentication data capture request from the workstation user with the communications device, and transmitting the captured biometric authentication data from the communications device to the authentication system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method for authenticating users in accordance with claim 1, further comprising:
    - displaying the plurality of pending transactions on the communications device;
      
      choosing one of the plurality of pending transactions to conduct; and
      
      determining the biometric authentication data requirement of the one pending transaction, when the at least one transaction is pending.
  - 3. A method for authenticating users in accordance with claim 1, further comprising:
    - displaying the plurality of transactions on the communications device;
      
      determining a level of risk associated with each of the plurality of pending transactions;
      
      comparing the determined level of risks to determine a greatest level of risk;
      
      determining a biometric authentication data requirement corresponding to the greatest level of risk; and
      
      including the biometric authentication data requirement in a subsequent biometric authentication data capture request.
  - 4. A method for authenticating users in accordance with claim 1, said capturing biometric authentication data operation further comprising:
    - verifying that the captured biometric authentication data is of sufficient quality for determining a sufficient quality comparison match and related numerical score; and
      
      capturing biometric authentication data again when the captured biometric authentication data is of insufficient quality.
  - 5. A method for authenticating users in accordance with claim 1, said determining whether the at least one transaction requires access to protected resources comprising:
    - generating a first configurable policy that associates each of a plurality of transactions with a corresponding one of a plurality of levels of risk and storing the first configurable policy in a server system;
      
      comparing the at least one transaction against the first configurable policy to determine the level of risk associated with the at least one transaction; and
      
      determining that access to the protected resources is required to complete the at least one transaction when the level of risk associated with the at least one transaction is greater than a lowest level of risk.
  - 6. A method for authenticating users in accordance with claim 1, further comprising:
    - generating a one-time pass-phrase, storing the one-time pass-phrase in the authentication system and transmitting the one-time pass-phrase to the communications device when the user is validated as the one authorized user;
      
      obtaining the one-time pass-phrase from the communications device and entering the one-time pass-phrase into the workstation;
      
      transmitting the one-time pass-phrase from the workstation to the authentication system and comparing the transmitted one-time pass-phrase against the stored one-time pass-phrase; and
      
      granting access to the protected resources of the one authorized user when the transmitted and stored one-time pass-phrases match.
  - 7. A method for authenticating users in accordance with claim 1, said determining the biometric authentication data requirement comprising:
    - consulting an authentication policy including policy levels of risk associated with biometric authentication data requirements, and comparing the extracted level of risk against the policy levels of risk; and
      
      determining the biometric authentication data requirement to be the biometric authentication data requirement that corresponds to the policy level of risk that matches the extracted level of risk.
  - 8. A method for authenticating users in accordance with claim 1, further comprising determining a geographical area relative to coordinate data of the communications device such that when the communications device is determined to be outside of the geographical area, the identity of the user is not validated.
  - 9. A method for authenticating users in accordance with claim 1, further comprising:
    - obtaining a communications device identifier of the communications device; and
      
      transmitting the communications device identifier to the authentication system, determining whether the communications device is known, and determining a state of the communications device when the communications device is known.
  - 10. A method for authenticating users in accordance with claim 1, further comprising registering the communications device, said registering operation comprising:
    - storing a communications device identifier; and
      
      setting a state of the communications device.
  - 11. A method for authenticating users in accordance with claim 1, further comprising:
    - registering the communications device; and
      
      enrolling the communications device, wherein the time between registering and enrolling the communications device varies.

12. A method of authenticating users for conducting at least one transaction, said method comprising:
- transmitting an authentication request from a server system to an authentication system over a network, the authentication request including a level of risk associated with the at least one transaction;
  
  extracting the level of risk from the authentication request;
  
  determining an authentication data requirement corresponding to the level of risk;
  
  transmitting an authentication capture request from the authentication system over another network to a communication device, the authentication capture request including the authentication data requirement;
  
  obtaining authentication data with the communication device from a user of the communication device, the obtained authentication data corresponding to the authentication data requirement;
  
  transmitting the obtained authentication data to the authentication system over the other network; and
  
  validating the identity of the user.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. A method of authenticating users in accordance with claim 12, further comprising:
    - transmitting a one-time pass-phrase to the communications device over the other network when the identity of the user is validated;
      
      entering, by the user, the one-time pass-phrase into a workstation;
      
      transmitting the one-time pass-phrase from the workstation to the authentication system over the network;
      
      validating the one-time pass-phrase; and
      
      conducting the at least one transaction when the one-time pass-phrase is valid and has not expired.
  - 14. A method of authenticating users in accordance with claim 12 further comprising obtaining different authentication data when the obtained authentication data is not of sufficient quality.
  - 15. A method of authenticating users in accordance with claim 12 further comprising adjusting the level of risk when one of a plurality of risk factors is encountered.
  - 16. A method of authenticating users in accordance with claim 15, said adjusting operation comprising adjusting the level of risk according to a level of risk adjustment associated with the one risk factor.
  - 17. A method of authenticating users in accordance with claim 15 said adjusting operation comprising increasing or decreasing the level of risk by at least a single level of risk.
  - 18. A method of authenticating users in accordance with claim 15, said adjusting operation comprising one of:
    - increasing the level of risk by one level of risk when the at least one transaction requires accessing active accounts data after normal business hours;
      
      decreasing the level of risk by one level of risk when the communications device is located at most ten miles from a home address and the at least one transaction requires accessing account balances data; and
      
      increasing the level of risk by one level of risk when a predetermined period of time has elapsed since the user attempted to conduct a previous transaction.
  - 19. A method of authenticating users in accordance with claim 15 further comprising defining the risk factors, the risk factors comprising:
    - a time of day said obtaining operation occurs;
      
      a distance the communications device is from a home address when the at least one transaction is initiated; and
      
      a length of time that has passed since a transaction was previously conducted.
  - 20. A method of authenticating users in accordance with claim 15 said adjusting operation comprising increasing or decreasing the level of risk by at least a single level of risk.
  - 21. A method of authenticating users in accordance with claim 15 further comprising associating each of a plurality of level of risk adjustments with an appropriate one of the risk factors.

22. A system for authenticating a user attempting to conduct a transaction requiring access to protected resources, said system comprising:
- a first device, said first device being a global positioning system enabled device;
  
  an authentication system operable to at least store global positioning system coordinates as coordinate data, determine coordinates of said first device as home address coordinate data, establish a geographic area, and communicate with said first device, the established geographical area being a circle centered about the home address coordinate data having a radius based on behavior of the user; and
  
  a second device operable to communicate with at least said first device and said authentication system to determine a location of said second device, wherein said authentication system is further operable to determine whether said second device is inside or outside of the established geographic area, such that when said second device is outside of the established geographic area an identity of the user can not be verified and when said second device is within the established geographic area the identity of the user can be verified.

23. A computer program recorded on a non-transitory computer-readable recording medium included in an authentication computer system for enabling authentication of an identity of a user attempting to conduct at least one transaction, the computer program causing the authentication computer system to execute at least the following:
- transmitting an authentication request from a server system to an authentication system over a network, the authentication request including a level of risk associated with the at least one transaction, the server system, the authentication system, and the network being included in the authentication computer system;
  
  extracting the level of risk from the authentication request;
  
  determining an authentication data requirement corresponding to the level of risk;
  
  transmitting an authentication capture request from the authentication system over another network to a communications device, the authentication capture request including the authentication data requirement, the other network and the communications device being included in the authentication computer system;
  
  obtaining authentication data with the communications device from a user of the communications device, the obtained authentication data corresponding to the authentication data requirement;
  
  transmitting the obtained authentication data to the authentication system over the other network; and
  
  validating the identity of the user.
- View Dependent Claims (24, 25, 26)
- - 24. A computer program recorded on a non-transitory computer-readable recording medium in accordance with claim 23, the computer program causing the authentication computer system to further execute at least the following:
    - transmitting a one-time pass-phrase to the communications device over the other network when the identity of the user is validated;
      
      obtaining the one-time pass-phrase from the communications device and manually entering the one-time pass-phrase into a computer;
      
      transmitting the one-time pass-phrase from the computer to the authentication system over the network; and
      
      conducting the at least one transaction when the one-time pass-phrase is valid and has not expired.
  - 25. A computer program recorded on a non-transitory computer-readable recording medium in accordance with claim 23, the computer program causing the authentication computer system to conduct said determining operation by executing at least the following:
    - consulting an authentication policy including policy levels of risk associated with authentication data requirements;
      
      comparing the level of risk against the policy levels of risk; and
      
      determining the authentication data requirement to be the authentication requirement that corresponds to the policy level of risk that matches the level of risk.
  - 26. A computer program recorded on a non-transitory computer-readable recording medium in accordance with claim 23, the computer program causing the authentication computer system to further execute at least the following prior to said obtaining operation:
    - validating the communications device; and
      
      verifying that the at least one transaction is pending.

27. An authentication computer system comprising:
- a server system, said server system including at least a database and being configured to at least determine a level of risk associated with at least one transaction;
  
  a workstation operationally coupled to said server system over a first network, said workstation being configured to at least receive information input by a user;
  
  an authentication system including an authentication database, said authentication system being configured to at least communicate with said server system over the first network, store within said authentication database authentication data and personal data associated with each of a plurality of authorized users, receive an authentication request transmitted from said server system, extract a level of risk from the authentication request, determine an authentication data requirement corresponding to the level of risk, and initiate an authentication process over a second network in response to a communication from the first network; and
  
  a communications device associated with one of a plurality of authorized users being configured to at least communicate with said authentication system over said second network, receive an authentication data request transmitted over said second network from said authentication system, capture authentication data from the user in accordance with the authentication data request, and transmit the captured authentication data to said authentication system over said second network, whereinsaid authentication system is further configured to initiate the authentication process by transmitting the authentication data request including the authentication data requirement to said communications device, and is further configured to compare the captured authentication data against authentication data of the one authorized user.
- View Dependent Claims (28)
- - 28. An authentication computer system in accordance with claim 27, wherein:
    - said authentication system is further configured to transmit a one-time pass-phrase over said second network when the user is authenticated as the one authorized user;
      
      said communications device is further configured to receive and display the one-time pass-phrase such that the one-time pass-phrase can be inputted into said workstation and transmitted over said first network to said authentication system;
      
      said authentication system is further configured to compare the one-time pass-phrase transmitted from said authentication system against the one-time pass-phrase received by said authentication system; and
      
      said server system is configured to conduct the at least one transaction when the one-time pass-phrase is valid and has not expired.

29. A method of authenticating a user attempting to conduct at least one transaction, said method comprising:
- extracting a risk level of at least one transaction from an authentication request;
  
  determining an authentication data requirement corresponding to the risk level with an authentication system;
  
  validating an identity of a user by comparing captured biometric data of the user against biometric data of an authorized user, the captured biometric data corresponding to the authentication data requirement;
  
  validating a one-time pass-phrase after successfully validating the identity of the user; and
  
  conducting the at least one transaction with a system different than the authentication system when the one-time pass-phrase is valid and has not expired.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. A method of authenticating a user in accordance with claim 29 said validating a one-time pass-phrase operation comprising comparing the one-time pass-phrase against a stored one-time pass-phrase.
  - 31. A method of authenticating a user in accordance with claim 29, further comprising:
    - determining a state of a communications device with a server system; and
      
      transmitting the authentication request from the server system to an authentication system when a state of a communications device is enrolled.
  - 32. A method of authenticating a user in accordance with claim 31, said determining an authentication data requirement operation comprising:
    - consulting an authentication policy including policy levels of risk associated with biometric authentication data requirements;
      
      comparing the extracted risk level against the policy levels of risk; and
      
      determining the authentication data requirement to be the authentication data requirement that corresponds to the policy level of risk that matches the extracted risk level.
  - 33. A method of authenticating a user in accordance with claim 29, further comprising:
    - transmitting the authentication request from a server system to an authentication system when a state of a communications device is enrolled;
      
      generating a biometric authentication data capture request in response to the authentication request;
      
      transmitting the biometric authentication data capture request to the communications device, the biometric authentication request including the authentication data requirement;
      
      capturing biometric authentication data in accordance with the biometric authentication data capture request from the user with the communications device; and
      
      transmitting the captured biometric authentication data to the authentication system and conducting said validating an identity of a user operation at the authentication system.
  - 34. A method of authenticating users in accordance with claim 29, further comprising:
    - generating a one-time pass-phrase with the authentication system, storing the one-time pass-phrase in the authentication system, and transmitting the one-time pass-phrase to a communications device over a second network;
      
      obtaining the one-time pass phrase from the communications device and entering the one-time pass-phrase into a workstation; and
      
      transmitting the one-time pass-phrase from the workstation to the authentication system over a first network prior to conducting said validating a one-time pass-phrase operation.

35. A method of authenticating a user attempting to conduct at least one transaction, said method comprising:
- extracting a risk level of at least one transaction from an authentication request;
  
  determining an authentication data requirement corresponding to the risk level with an authentication system;
  
  conducting a first validation of the user with data corresponding to the authentication data requirement;
  
  conducting a second validation of the user with different data after the first validation verifies an identity of the user; and
  
  conducting the at least one transaction with a system different than the authentication system when the different data is validated and has not expired.
- View Dependent Claims (36, 37)
- - 36. A method of authenticating a user attempting to conduct at least one transaction in accordance with claim 35, further comprising:
    - determining whether a communications device associated with the user is inside or outside an established geographic area, the communications device for capturing the data corresponding to the authentication data requirement; and
      
      executing said conducting a first validation operation when the communications device is within the established geographic area.
  - 37. A method of authenticating a user attempting to conduct at least one transaction in accordance with claim 35, further comprising determining coordinate data of a communications device used to capture the data corresponding to the authentication data requirement, when the communications device is determined to be outside of a geographical area said conducting a first validation operation is not executed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Corporation DAON Technology
Original Assignee
Daon Holdings Limited
Inventors
White, Conor Robert, Peirce, Michael, Cramer, Jason Scott, Steiner, Chet Bradford, Diebes, Suzanna
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
KAPLAN, BENJAMIN A

Application Number

US12/535,720
Publication Number

US 20110035788A1
Time in Patent Office

1,378 Days
Field of Search

713/186, 380/258
US Class Current

713/186
CPC Class Codes

G06F 21/31   User authentication

G06F 21/32   using biometric data, e.g. ...

G06F 21/577   Assessing vulnerabilities a...

G06Q 10/00   Administration; Management

G06Q 20/4016   involving fraud or risk lev...

G06Q 30/06   Buying, selling or leasing ...

H04L 2209/56   Financial cryptography, e.g...

H04L 63/08   for authentication of entit...

H04L 63/0861   using biometrical features,...

H04L 63/123   received data contents, e.g...

H04L 9/3228   One-time or temporary data,...

H04L 9/3231   Biological data, e.g. finge...

Methods and systems for authenticating users

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

430 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for authenticating users

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

430 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links