System and method for risk based authentication

US 8,572,391 B2
Filed: 09/13/2004
Issued: 10/29/2013
Est. Priority Date: 09/12/2003
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computer processor of a risk based authentication server, the method comprising:

receiving, from an online transaction server which has performed a first authentication operation to successfully authenticate a party using a remote user computer, user identification data which identifies the party using the remote user computer, the computer processor of the risk based authentication server being separate from the online transaction server and communicating with the online transaction server through an interface;

receiving, from the online transaction server, a risk assessment request including transaction information obtained from the party using the user computer in response to a request to perform a transaction;

assessing, by the computer processor, the risk level of the transaction based on the user identification data and the transaction information of the risk assessment request;

based on the risk level, setting a level of authentication for the transaction,wherein assessing the risk level of the transaction includes at least evaluating based on at least one circumstance of the requested transaction the probability that the party requesting the transaction is not a person identified by the user identification data,wherein said at least one circumstance of the requested transaction is selected from;

an identity of the user computer, a time of the transaction request, and a geographical location of the user computer;

determining based on the level of authentication a set of one or more additional authentication details required of the party requesting the transaction, said one or more additional authentication details being different from the user identification data;

requesting the determined set of additional authentication details from the party through the online transaction server via a web-based exchange with the party using the user computer;

receiving from the party responses to the request for the determined set of additional authentication details through the online transaction server via the web-based exchange with the party using the user computer; and

based on said party'"'"'s responses to the request for the determined set of additional authentication details, performing a second authentication operation by the computer processor of the risk based authentication server which is separate from the online transaction server that has performed the first authentication operation and which communicates with the online transaction server through the interface, the second authentication operation determining whether to output a successful authentication result from the risk based authentication server to the online transaction server to allow the online transaction server to perform the transaction.

View all claims

14 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method may allow for flexible transaction processing based on for example the risk assessment of a transaction and/or a user or party to a transaction. Based on a risk level, for example, a level of authentication for the transaction may be set or altered.

Citations

46 Claims

1. A method performed by a computer processor of a risk based authentication server, the method comprising:
- receiving, from an online transaction server which has performed a first authentication operation to successfully authenticate a party using a remote user computer, user identification data which identifies the party using the remote user computer, the computer processor of the risk based authentication server being separate from the online transaction server and communicating with the online transaction server through an interface;
  
  receiving, from the online transaction server, a risk assessment request including transaction information obtained from the party using the user computer in response to a request to perform a transaction;
  
  assessing, by the computer processor, the risk level of the transaction based on the user identification data and the transaction information of the risk assessment request;
  
  based on the risk level, setting a level of authentication for the transaction,wherein assessing the risk level of the transaction includes at least evaluating based on at least one circumstance of the requested transaction the probability that the party requesting the transaction is not a person identified by the user identification data,wherein said at least one circumstance of the requested transaction is selected from;
  
  an identity of the user computer, a time of the transaction request, and a geographical location of the user computer;
  
  determining based on the level of authentication a set of one or more additional authentication details required of the party requesting the transaction, said one or more additional authentication details being different from the user identification data;
  
  requesting the determined set of additional authentication details from the party through the online transaction server via a web-based exchange with the party using the user computer;
  
  receiving from the party responses to the request for the determined set of additional authentication details through the online transaction server via the web-based exchange with the party using the user computer; and
  
  based on said party'"'"'s responses to the request for the determined set of additional authentication details, performing a second authentication operation by the computer processor of the risk based authentication server which is separate from the online transaction server that has performed the first authentication operation and which communicates with the online transaction server through the interface, the second authentication operation determining whether to output a successful authentication result from the risk based authentication server to the online transaction server to allow the online transaction server to perform the transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the party is login authenticated by the online transaction server prior to assessing the risk level of the transaction.
  - 3. The method of claim 1, wherein the set of additional authentication details includes at least a password.
  - 4. The method of claim 1, wherein setting the level of authentication for the transaction includes choosing among a set of levels of login security for the transaction, based on the risk level.
  - 5. The method of claim 1, further comprising setting, the level of authentication after the start of transaction.
  - 6. The method of claim 1, wherein the transaction is a financial transaction.
  - 7. The method of claim 1, wherein assessing the risk level of the transaction includes at least evaluating the transaction.
  - 8. The method of claim 1, wherein assessing the risk level of the transaction includes at least evaluating size of the transaction.
  - 9. The method of claim 1, wherein the risk level assessment is based on a set of stored data;
    - and wherein the method further comprises altering the set of stored data based on the transaction.
  - 10. The method of claim 1, wherein determining the set of one or more additional authentication results includes selecting a type of authentication required of the party requesting the transaction.
  - 11. The method of claim 1, further comprising, in response to a certain risk level, requiring a further authentication step after an initial authentication step.
  - 12. The method of claim 1, further comprising, in response to a certain risk level, making a certain authentication step mandatory instead of optional.
  - 13. The method of claim 1, wherein the transaction is a password recovery.
  - 14. The method of claim 1, further comprising overriding the level of authentication which is set for the transaction.
  - 15. The method of claim 1, further comprising if the party is among a set of predefined users, or the transaction meets certain criteria, overriding the level of authentication which is set for the transaction.
  - 16. The method of claim 1, further comprising collecting user or transaction data and storing the data for future risk assessment.
  - 17. The method of claim 1, further comprising collecting user data and storing the data for future authentication.
  - 18. The method of claim 1, further comprising collecting transaction data and storing the transaction data for future risk assessment.
  - 19. The method of claim 17, further comprising authenticating a party to the transaction.
  - 20. The method of claim 1, wherein the set of additional authentication details consist of one or more authentication details selected from:
    - a social security number, an answer to a security question, an answer to a question based on collected data, a transaction number relating to a recent transaction of the party, and data provided to the party over a different communication channel.
  - 21. The method of claim 1, further comprising if the level of risk is above the threshold, determining which additional authentication options are available, wherein the one or more additional authentication details are selected from among the determined available authentication options.

22. A method performed by a computer processor of a risk based authentication server, the method comprising:
- accepting, from an online transaction server which has performed a first authentication operation to successfully authenticate a user using a remote user computer, (i) user identification data which identifies the user using the remote user computer, and (ii) a request to begin a transaction, the computer processor of the risk based authentication server being separate from the online transaction server and communicating with the online transaction server through an interface;
  
  evaluating, by the computer processor and based on the user identification data and at least one circumstance of the requested transaction, a level of risk for the transaction, wherein the level of risk includes at least a probability that the user is not a person identified by the user identification, wherein said at least one circumstance of the requested transaction is selected from;
  
  an identity of the user computer, a time of the transaction request, and a geographical location of the user computer;
  
  if a second authentication operation performed by the risk based authentication server indicates that the level of risk is below a threshold, directing the online transaction server to allow the transaction;
  
  if the second authentication operation performed by the risk based authentication server indicates that the level of risk is above the threshold, directing the online transaction server to request the user to provide one or more additional security details, receive from the user a response to the request for security details, and based on the user'"'"'s responses to the request for security details, determine whether to allow the transaction, wherein said one or more additional security details are different from information provided by the user prior to the request to begin the transaction.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
- - 23. The method of claim 22, wherein accepting the request includes at least accepting an initial set of authentication details.
  - 24. The method of claim 22, further comprising, prior to accepting the request, accepting from the user authentication details.
  - 25. The method of claim 22, wherein evaluating the level of risk for the transaction includes at least evaluating the past transaction history of the person identified by the user identification.
  - 26. The method of claim 22, further comprising if the user is among a set of predefined users, overriding requiring the user to provide additional security details.
  - 27. The method of claim 22, wherein the set of additional security details comprises a password.
  - 28. The method of claim 22, wherein the set of additional security details consist of one or more security details selected from:
    - a social security number, an answer to a security question, an answer to a question based on collected data, a transaction number relating to a recent transaction of the user, data provided to the user over a different communication channel.
  - 29. The method of claim 22, further comprising if the level of risk is above the threshold, determining which additional security options are available, wherein the one or more additional security details are selected from among the determined available security options.

30. A risk based authentication server comprising a computer processor to:
- receive from an online transaction server which has performed a first authentication operation to successfully authenticate a party using a remote user computer, user identification data which identifies the party using the remote user computer, the computer processor of the risk based authentication server being separate from the online transaction server and communicating with the online transaction server through an interface;
  
  receive, from the online transaction server, a risk assessment request including transaction information obtained from the party using the user computer in response to a request to perform a transaction;
  
  assess the risk level of the transaction based on the user identification data and the transaction information of the risk assessment request; and
  
  based on the risk level, set a level of authentication for the transaction,wherein said processor, when assessing the risk level of the transaction, at least evaluates based on at least one circumstance of the requested transaction the probability that the party requesting the transaction is not a person identified by the user identification, wherein said at least one circumstance of the requested transaction is selected from;
  
  an identity of the user computer, a time of the transaction request, and a geographical location of the user computer;
  
  determine based on the level of authentication a set of one or more additional authentication details required of the party requesting the transaction, said one or more additional authentication details being different from the user identification data;
  
  request the determined set of additional authentication details from the party through the online transaction server via a web-based exchange with the party using the user computer;
  
  receive from the party responses to the request for the determined set of authentication details through the online transaction server via the web-based exchange with the party using the user computer; and
  
  based on said party'"'"'s responses to the request for the determined set of authentication details, perform a second authentication operation to determine whether to output a successful authentication result from the risk based authentication server to the online transaction server to allow the online transaction server to perform the transaction.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
- - 31. The risk based authentication server of claim 30, wherein the processor is to authenticate a party to the transaction.
  - 32. The risk based authentication server of claim 30, wherein the processor is to use the level of authentication to determine a set of authentication details required of a party to the transaction.
  - 33. The risk based authentication server of claim 30, wherein the set of additional authentication details includes at least a password.
  - 34. The risk based authentication server of claim 30, wherein the processor is to choose among a set of levels of login security for the transaction, based on the risk level.
  - 35. The risk based authentication server of claim 30, wherein the processor is to in response to a certain risk level, require a further authentication step after an initial authentication step.
  - 36. The risk based authentication server of claim 30, wherein the transaction is a password recovery.
  - 37. The risk based authentication server of claim 30, wherein the set of additional authentication details consist of one or more authentication details selected from:
    - a social security number, an answer to a security question, an answer to a question based on collected data, a transaction number relating to a recent transaction of the party, data provided to the party over a different communication channel.
  - 38. The risk based authentication server of claim 30, wherein the computer processor is to determine which additional authentication options are available, and determine the set of one or more additional authentication details based on the determined available additional authentication options and on the level of authentication.

39. A risk based authentication server comprising a computer processor to:
- accept, from an online transaction server which has performed a first authentication operation to successfully authenticate a user using a remote user computer, (i) user identification data which identifies the user using the remote computer, and (ii) a request to begin a transaction, the computer processor of the risk based authentication server being separate from the online transaction server and communicating with the online transaction server through an interface;
  
  evaluate based on the user identification data and at least one circumstance of the requested transaction a level of risk for the transaction, wherein the level of risk includes at least a probability that the user is not a person identified by the user identification, wherein said at least one circumstance of the requested transaction is selected from;
  
  an identity of the user computer, a time of the transaction request, and a geographical location of the user computer;
  
  if a second authentication operation performed by the risk based authentication server indicates that the level of risk is below a threshold, direct the online transaction server to allow the transaction; and
  
  if the second authentication operation performed by the risk based authentication server indicates that the level of risk is above the threshold, direct the online transaction server to request the user to provide one or more additional security details, receive from the user a response to the request for security details, and based on the user'"'"'s responses to the request for security details, determine whether to allow the transaction, wherein said one or more additional authentication details are different from information provided by the user prior to the request to begin the transaction.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46)
- - 40. The risk based authentication server of claim 39, wherein accepting the request includes at least accepting an initial set of security details.
  - 41. The risk based authentication server of claim 39, wherein evaluating at least the user for risk includes at least evaluating the past transaction history of the user.
  - 42. The risk based authentication server of claim 39, wherein the processor is to, if the user is among a set of preferred users, override the requiring the user to provide security details.
  - 43. The risk based authentication server of claim 39, wherein said processor is further to evaluate the transaction for a level of risk.
  - 44. The risk based authentication server of claim 39, wherein the set of additional security details comprises a password.
  - 45. The risk based authentication server of claim 39, wherein the set of additional security details consist of one or more security details selected from:
    - a social security number, an answer to a security question, an answer to a question based on collected data, a transaction number relating to a recent transaction of the user, data provided to the user over a different communication channel.
  - 46. The risk based authentication server of claim 39, wherein the computer processor is to determine which additional security options are available, and determine the set of one or more additional security details based on the determined available additional security options and on the level of authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Emc IP Holding Company LLC (Dell Technologies Inc.)
Original Assignee
EMC Corporation (Dell Technologies Inc.)
Inventors
Golan, Lior, Orad, Amir, Bennett, Naftali
Primary Examiner(s)
Brown, Christopher
Assistant Examiner(s)
Tolentino, Roderick

Application Number

US10/938,848
Publication Number

US 20050097320A1
Time in Patent Office

3,333 Days
Field of Search

726 1- 36, 705/75, 705/72, 713/182, 713/183
US Class Current

713/183
CPC Class Codes

G06F 21/40   by quorum, i.e. whereby two...

G06F 21/577   Assessing vulnerabilities a...

G06Q 20/04   Payment circuits

G06Q 20/4014   Identity check for transact...

G06Q 20/4016   involving fraud or risk lev...

System and method for risk based authentication

First Claim

14 Assignments

0 Petitions

Accused Products

Abstract

Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for risk based authentication

First Claim

14 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links