System and method for risk based authentication
First Claim
Patent Images
1. A method performed by a computer processor of a risk based authentication server, the method comprising:
- receiving, from an online transaction server which has performed a first authentication operation to successfully authenticate a party using a remote user computer, user identification data which identifies the party using the remote user computer, the computer processor of the risk based authentication server being separate from the online transaction server and communicating with the online transaction server through an interface;
receiving, from the online transaction server, a risk assessment request including transaction information obtained from the party using the user computer in response to a request to perform a transaction;
assessing, by the computer processor, the risk level of the transaction based on the user identification data and the transaction information of the risk assessment request;
based on the risk level, setting a level of authentication for the transaction,wherein assessing the risk level of the transaction includes at least evaluating based on at least one circumstance of the requested transaction the probability that the party requesting the transaction is not a person identified by the user identification data,wherein said at least one circumstance of the requested transaction is selected from;
an identity of the user computer, a time of the transaction request, and a geographical location of the user computer;
determining based on the level of authentication a set of one or more additional authentication details required of the party requesting the transaction, said one or more additional authentication details being different from the user identification data;
requesting the determined set of additional authentication details from the party through the online transaction server via a web-based exchange with the party using the user computer;
receiving from the party responses to the request for the determined set of additional authentication details through the online transaction server via the web-based exchange with the party using the user computer; and
based on said party'"'"'s responses to the request for the determined set of additional authentication details, performing a second authentication operation by the computer processor of the risk based authentication server which is separate from the online transaction server that has performed the first authentication operation and which communicates with the online transaction server through the interface, the second authentication operation determining whether to output a successful authentication result from the risk based authentication server to the online transaction server to allow the online transaction server to perform the transaction.
14 Assignments
0 Petitions
Accused Products
Abstract
A system and method may allow for flexible transaction processing based on for example the risk assessment of a transaction and/or a user or party to a transaction. Based on a risk level, for example, a level of authentication for the transaction may be set or altered.
-
Citations
46 Claims
-
1. A method performed by a computer processor of a risk based authentication server, the method comprising:
-
receiving, from an online transaction server which has performed a first authentication operation to successfully authenticate a party using a remote user computer, user identification data which identifies the party using the remote user computer, the computer processor of the risk based authentication server being separate from the online transaction server and communicating with the online transaction server through an interface; receiving, from the online transaction server, a risk assessment request including transaction information obtained from the party using the user computer in response to a request to perform a transaction; assessing, by the computer processor, the risk level of the transaction based on the user identification data and the transaction information of the risk assessment request; based on the risk level, setting a level of authentication for the transaction, wherein assessing the risk level of the transaction includes at least evaluating based on at least one circumstance of the requested transaction the probability that the party requesting the transaction is not a person identified by the user identification data, wherein said at least one circumstance of the requested transaction is selected from;
an identity of the user computer, a time of the transaction request, and a geographical location of the user computer;determining based on the level of authentication a set of one or more additional authentication details required of the party requesting the transaction, said one or more additional authentication details being different from the user identification data; requesting the determined set of additional authentication details from the party through the online transaction server via a web-based exchange with the party using the user computer; receiving from the party responses to the request for the determined set of additional authentication details through the online transaction server via the web-based exchange with the party using the user computer; and based on said party'"'"'s responses to the request for the determined set of additional authentication details, performing a second authentication operation by the computer processor of the risk based authentication server which is separate from the online transaction server that has performed the first authentication operation and which communicates with the online transaction server through the interface, the second authentication operation determining whether to output a successful authentication result from the risk based authentication server to the online transaction server to allow the online transaction server to perform the transaction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A method performed by a computer processor of a risk based authentication server, the method comprising:
-
accepting, from an online transaction server which has performed a first authentication operation to successfully authenticate a user using a remote user computer, (i) user identification data which identifies the user using the remote user computer, and (ii) a request to begin a transaction, the computer processor of the risk based authentication server being separate from the online transaction server and communicating with the online transaction server through an interface; evaluating, by the computer processor and based on the user identification data and at least one circumstance of the requested transaction, a level of risk for the transaction, wherein the level of risk includes at least a probability that the user is not a person identified by the user identification, wherein said at least one circumstance of the requested transaction is selected from;
an identity of the user computer, a time of the transaction request, and a geographical location of the user computer;if a second authentication operation performed by the risk based authentication server indicates that the level of risk is below a threshold, directing the online transaction server to allow the transaction; if the second authentication operation performed by the risk based authentication server indicates that the level of risk is above the threshold, directing the online transaction server to request the user to provide one or more additional security details, receive from the user a response to the request for security details, and based on the user'"'"'s responses to the request for security details, determine whether to allow the transaction, wherein said one or more additional security details are different from information provided by the user prior to the request to begin the transaction. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29)
-
-
30. A risk based authentication server comprising a computer processor to:
-
receive from an online transaction server which has performed a first authentication operation to successfully authenticate a party using a remote user computer, user identification data which identifies the party using the remote user computer, the computer processor of the risk based authentication server being separate from the online transaction server and communicating with the online transaction server through an interface; receive, from the online transaction server, a risk assessment request including transaction information obtained from the party using the user computer in response to a request to perform a transaction; assess the risk level of the transaction based on the user identification data and the transaction information of the risk assessment request; and based on the risk level, set a level of authentication for the transaction, wherein said processor, when assessing the risk level of the transaction, at least evaluates based on at least one circumstance of the requested transaction the probability that the party requesting the transaction is not a person identified by the user identification, wherein said at least one circumstance of the requested transaction is selected from;
an identity of the user computer, a time of the transaction request, and a geographical location of the user computer;determine based on the level of authentication a set of one or more additional authentication details required of the party requesting the transaction, said one or more additional authentication details being different from the user identification data; request the determined set of additional authentication details from the party through the online transaction server via a web-based exchange with the party using the user computer; receive from the party responses to the request for the determined set of authentication details through the online transaction server via the web-based exchange with the party using the user computer; and based on said party'"'"'s responses to the request for the determined set of authentication details, perform a second authentication operation to determine whether to output a successful authentication result from the risk based authentication server to the online transaction server to allow the online transaction server to perform the transaction. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A risk based authentication server comprising a computer processor to:
-
accept, from an online transaction server which has performed a first authentication operation to successfully authenticate a user using a remote user computer, (i) user identification data which identifies the user using the remote computer, and (ii) a request to begin a transaction, the computer processor of the risk based authentication server being separate from the online transaction server and communicating with the online transaction server through an interface; evaluate based on the user identification data and at least one circumstance of the requested transaction a level of risk for the transaction, wherein the level of risk includes at least a probability that the user is not a person identified by the user identification, wherein said at least one circumstance of the requested transaction is selected from;
an identity of the user computer, a time of the transaction request, and a geographical location of the user computer;if a second authentication operation performed by the risk based authentication server indicates that the level of risk is below a threshold, direct the online transaction server to allow the transaction; and if the second authentication operation performed by the risk based authentication server indicates that the level of risk is above the threshold, direct the online transaction server to request the user to provide one or more additional security details, receive from the user a response to the request for security details, and based on the user'"'"'s responses to the request for security details, determine whether to allow the transaction, wherein said one or more additional authentication details are different from information provided by the user prior to the request to begin the transaction. - View Dependent Claims (40, 41, 42, 43, 44, 45, 46)
-
Specification