Online challenge-response

US 8,762,279 B2
Filed: 08/12/2013
Issued: 06/24/2014
Est. Priority Date: 11/06/2008
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a consumer conducting a transaction with a merchant, the method comprising:

receiving, by a merchant computer, a transaction request from the consumer including information associated with an account being used to conduct the transaction;

sending, by the merchant computer, an enrollment request message to a server computer, wherein the server computer identifies a type of authentication available, and wherein the type of authentication available includes at least one of a password-based authentication or a challenge-response authentication;

redirecting, by the merchant computer, the consumer to the server computer, wherein the server computer generates an authentication challenge and compares a response received from the consumer to an expected response when challenge-response authentication of the consumer is available;

receiving, by the merchant computer, a result of the consumer authentication; and

if the consumer is authenticated, submitting the transaction for processing.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention enable cardholders conducting an online transaction to be authenticated in real-time using a challenge-response application. The challenge-response application can be administered by an issuer or by a third party on-behalf-of an issuer. A challenge question can be presented to the cardholder, and the cardholder'"'"'s response can be verified. The challenge question presented can be selected based on an analysis of the risk of the transaction and potentially other factors. A variety of dynamic challenge questions can be used without the need for the cardholder to enroll into the program. Additionally, there are many flexible implementation options of the challenge-response application that can be adjusted based on factors such as the location of the merchant or the location of the consumer.

Citations

20 Claims

1. A method of authenticating a consumer conducting a transaction with a merchant, the method comprising:
- receiving, by a merchant computer, a transaction request from the consumer including information associated with an account being used to conduct the transaction;
  
  sending, by the merchant computer, an enrollment request message to a server computer, wherein the server computer identifies a type of authentication available, and wherein the type of authentication available includes at least one of a password-based authentication or a challenge-response authentication;
  
  redirecting, by the merchant computer, the consumer to the server computer, wherein the server computer generates an authentication challenge and compares a response received from the consumer to an expected response when challenge-response authentication of the consumer is available;
  
  receiving, by the merchant computer, a result of the consumer authentication; and
  
  if the consumer is authenticated, submitting the transaction for processing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising performing the password-based authentication of the consumer conducting the transaction substantially concurrently with the challenge-response authentication.
  - 3. The method of claim 1, wherein the challenge-response authentication is performed when the password-based authentication of the consumer conducting the transaction cannot take place.
  - 4. The method of claim 1, wherein the challenge-response authentication is performed substantially concurrently with an enrollment process for the password-based authentication of the consumer conducting the transaction.
  - 5. The method of claim 1, wherein the challenge-response authentication is performed substantially concurrently with a password recovery process for the password-based authentication of the consumer conducting the transaction.
  - 6. The method of claim 1, wherein the challenge-response authentication is performed instead of a password recovery process for the password-based authentication of the consumer conducting the transaction.
  - 7. The method of claim 1, wherein the consumer receives the expected response at a consumer device and wherein the expected response is valid for only one transaction.
  - 8. The method of claim 1, wherein the authentication challenge is generated by a payment processing network.
  - 9. The method of claim 1, wherein the server computer determines a risk score for the transaction and sends the risk score to a server computer associated with an issuer of the account being used to conduct the transaction, wherein the authentication challenge is generated by the server computer associated with the issuer and wherein the consumer response is received by the issuer.
  - 10. A computer-readable medium comprising computer-executable code, executable by a processor, for performing the method of claim 1.
  - 11. A server computer comprising a processor and the computer-readable medium of claim 10 coupled to the processor.

12. A system for authenticating a consumer conducting a transaction with a merchant, the system comprising:
- a challenge-response server computer, the challenge-response server computer comprising modules capable of executing on the challenge-response server computer, the modules comprising;
  
  a challenge optimizer module configured to;
  
  receive an enrollment request message sent by the merchant;
  
  identify a type of authentication available, wherein the type of authentication available includes at least one of a password-based authentication or a challenge-response based authentication;
  
  send an enrollment response message to the merchant based on the type of authentication available; and
  
  generate an authentication challenge and compare a response received from the consumer to an expected response when the challenge-response authentication of the consumer is available.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, further comprising:
    - a password-based authentication system, wherein the password-based authentication system is configured to provide the password-based authentication of the consumer conducting the transaction.
  - 14. The system of claim 13, wherein the password-based authentication system is configured to provide authentication of the consumer substantially concurrently to the authentication provided by the challenge-response server computer.
  - 15. The system of claim 13, wherein parameters of the authentication provided by the challenge-response server computer and parameters of the authentication provided by the password-based authentication system are determined based on information about the transaction being conducted and on information associated with an account being used to conduct the transaction.
  - 16. The system of claim 13, wherein the authentication provided by the challenge-response server computer is provided when the password-based authentication of the consumer cannot take place.
  - 17. The system of claim 13, wherein the challenge-response server computer is configured to authenticate the consumer substantially concurrently with an enrollment process for the password-based authentication system that occurs during the transaction.
  - 18. The system of claim 13, wherein the challenge-response server computer authenticates the consumer substantially concurrently with a password recovery process for the password-based authentication system that occurs during the transaction.
  - 19. The system of claim 12, wherein the challenge-response server computer further comprises:
    - a risk analyzer module configured to obtain a risk score for the transaction, wherein the challenge-response authentication is performed when the risk score is a medium risk score, wherein no challenge is sent if the risk score is a low risk score, and wherein a transaction failure message is sent if the risk score is a high risk score.
  - 20. The system of claim 19, wherein the risk score is further based on querying an external risk assessment system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Weller, Kevin, Steele, Kim, Koganti, Krishna Prasad, Faith, Patrick
Primary Examiner(s)
Oyebisi, Ojo O

Application Number

US13/964,992
Publication Number

US 20130339249A1
Time in Patent Office

316 Days
Field of Search

705/39, 705/35, 705/40, 705/38, 705/44
US Class Current

705/44
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2103   Challenge-response

G06Q 20/12   specially adapted for elect...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4016   involving fraud or risk lev...

G06Q 20/405   Establishing or using trans...

G06Q 30/06   Buying, selling or leasing ...

G06Q 50/265   Personal security, identity...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3226   using a predetermined code,...

H04L 9/3273   for mutual authentication n...

Online challenge-response

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Online challenge-response

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links