One-time use password systems and methods

US 9,665,868 B2
Filed: 05/09/2011
Issued: 05/30/2017
Est. Priority Date: 05/10/2010
Status: Active Grant

First Claim

Patent Images

1. A method of using a one-time password for a transaction between a user and a merchant, comprising:

generating the one-time password by an electronic device;

performing an authentication process of the user by an authentication server in response to a request from the user to use the one-time password, the user is authenticated based on information other than the one-time password;

authorizing the use of the one-time password for the transaction in response to successfully authenticating the user by the authentication server;

determining that the use of the one-time password is not authorized for the transaction in response to authentication of the user by the authentication server failing;

receiving the one-time password in combination with an account number at an electronic device of the merchant;

sending a first electronic message to the authentication server, wherein the first electronic message comprises the one-time password, and wherein the first electronic message requests a determination whether the one-time password is authorized for use in the transaction based on successful verification of the user;

sending a second electronic message to the electronic device of the merchant, wherein the second electronic message includes a determination whether the transaction should be approved, the determination is based in part on whether the authentication server indicates the one-time password is authorized for use in the transaction based on successful verification of the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to the invention, a method of using a one-time password for a transaction between a user and a merchant is disclosed. The method may include generating the one-time password. The method may also include authenticating the user by the authentication server in response to a request from the user to use the one-time password. The method may further include authorizing the use of the one-time password for the transaction in response to authenticating the user by the authentication server. The method may moreover include using the one-time password in combination with an account number to settle the transaction between the user and the merchant. The method may additionally include sending a message to the authentication server originating from the merchant, wherein the message comprises the one-time password, and wherein the message requests a determination whether the one-time password is authorized for use in the transaction. The method may also include sending a message to the merchant originating from the authentication server, wherein the message includes a determination whether the transaction should be approved in response to the authentication server determining whether the one-time password is authorized for use in the transaction.

19 Citations

View as Search Results

22 Claims

1. A method of using a one-time password for a transaction between a user and a merchant, comprising:
- generating the one-time password by an electronic device;
  
  performing an authentication process of the user by an authentication server in response to a request from the user to use the one-time password, the user is authenticated based on information other than the one-time password;
  
  authorizing the use of the one-time password for the transaction in response to successfully authenticating the user by the authentication server;
  
  determining that the use of the one-time password is not authorized for the transaction in response to authentication of the user by the authentication server failing;
  
  receiving the one-time password in combination with an account number at an electronic device of the merchant;
  
  sending a first electronic message to the authentication server, wherein the first electronic message comprises the one-time password, and wherein the first electronic message requests a determination whether the one-time password is authorized for use in the transaction based on successful verification of the user;
  
  sending a second electronic message to the electronic device of the merchant, wherein the second electronic message includes a determination whether the transaction should be approved, the determination is based in part on whether the authentication server indicates the one-time password is authorized for use in the transaction based on successful verification of the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the account number comprises a debit card number, and the one-time password comprises a PIN associated with the debit card number.
  - 3. The method of claim 1, wherein the account number comprises a credit card number, and the one-time password comprises a card security code associated with the credit card number.
  - 4. The method of claim 1, wherein generating the one-time password comprises a function of one or more transaction data.
  - 5. The method of claim 1, wherein generating the one-time password comprises a device of the user generating the one-time password.
  - 6. The method of claim 1, wherein generating the one-time password comprises an issuer server generating the one-time password.
  - 7. The method of claim 1, wherein generating the one-time password comprises the authentication server generating the one-time password.
  - 8. The method of claim 1, wherein authenticating the user by the authentication server in response to a request from the user comprises:
    - signing a challenge by a device of the user to create a signed challenge;
      
      sending an authentication message originating from the device of the user to the authentication server via a secure communication channel, wherein the authentication message includes the signed challenge; and
      
      using the signed challenge by the authentication server to authenticate the user.
  - 9. The method of claim 8, wherein signing a challenge by a device of the user to create a signed challenge comprises:
    - receiving a user access code by the device of the user;
      
      using at least the user access code to retrieve a private key from a key wallet, wherein the key wallet is configured to output a key having the appearance of the private key for at least one access code not equaling the user access code; and
      
      creating the signed challenge by encrypting the challenge with the private key.
  - 10. The method of claim 8, wherein the authentication message further comprises:
    - a public key associated with the user, wherein the public key is encrypted using a key known only to the authentication server.
  - 11. The method of claim 8, wherein using the signed challenge by the authentication server to authenticate the user comprises:
    - decrypting a public key associated with the user using a key known only to the authentication server;
      
      decrypting the signed challenge using the public key to create a decrypted challenge;
      
      comparing the decrypted challenge to the challenge; and
      
      authenticating the user in response to a determination that the decrypted challenge equals the challenge.
  - 12. The method of claim 1, wherein using the one-time password in combination with an account number as a part of the transaction comprises a device of the user wirelessly transmitting the one-time password to a device of the merchant.
  - 13. The method of claim 1, wherein using the one-time password in combination with an account number to settle the transaction comprises:
    - the device of the user transmitting the account number to a device of the merchant.

14. A system for using a one-time password in a transaction, comprising:
- a device of a merchant configured to receive the one-time password and an account number from a device of a user;
  
  an authentication server configured to receive a request originating from the device of the user to authorize the one-time password for use in the transaction in response to authenticating the user based on information other than the one-time password;
  
  an issuer server configured to communicate with the authentication server to determine whether the one-time password is authorized for use in the transaction based on the user being authenticated on the information other than the one-time password, and to communicate with the device of the merchant to determine whether the transaction has been approved or denied based, at least in part, on whether the one-time password is authorized for use in the transaction.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The system of claim 14, further comprising:
    - an acquirer server configured to communicate with the device of the merchant to authorize the transaction using the one-time password;
      
      a payment network configured to communicate with the acquirer server to authorize the transaction using the one-time password, and configured to communicate with the issuer server to authorize the transaction using the one-time password; and
      
      wherein the acquirer server is configured to communicate with the payment network to authorize the transaction using the one-time password.
  - 16. The system of claim 14, wherein the device of the user comprises a key wallet configured to:
    - securely store at least a private key in encrypted form;
      
      accept a user access code;
      
      decrypt and output at least the private key in response to a correct user access code; and
      
      output a key having the appearance of the private key for at least one user access code not equaling the correct user access code.
  - 17. The system of claim 14, wherein the authentication server is further configured to:
    - receive a public key that has been encrypted using a key known only to the authentication server;
      
      receive an signed challenge that has been signed using a private key that is paired with the public key;
      
      decrypt the public key using the key known only to the authentication server;
      
      decrypt the signed challenge using the public key to create a decrypted challenge; and
      
      determine if the decrypted challenge matches a previously defined challenge.
  - 18. The system of claim 14, wherein the device of the merchant is configured to receive the one-time password from the user by a user receiving the one-time password from the device of the user and manually entering the one-time password into the device of the merchant.
  - 19. The system of claim 14, wherein the device of the merchant is configured to receive the one-time password from the device of the user by the device of the user transmitting the one-time password to the device of the merchant.
  - 20. The system of claim 14, wherein the device of the merchant is configured to receive the account number from the device of the user by the device of the user transmitting the account number to the device of the merchant.
  - 21. The system of claim 16, wherein the device of the user is further configured to:
    - sign a challenge using the private key to create a signed challenge; and
      
      send to the authentication server the signed challenge and a public key that is paired with the private key, wherein the public key is encrypted using a key known only to the authentication server.

22. A method of using a one-time password for a transaction between a user and a merchant, comprising:
- performing an authentication process of the user by an authentication server, the authentication process comprising receiving information from the user other than a one-time password and authenticating the user based on the information other than the one-time password;
  
  storing an indication by the authentication server whether the one-time password is valid or invalid for use in the transaction between the user and the merchant depending upon whether the user is successfully authenticated;
  
  receiving the one-time password in combination with an account number at an electronic device of the merchant;
  
  sending a request from an electronic device of the merchant to an electronic device of an issuer to determine whether the transaction should be authorized or denied in response to receiving the one-time password in combination with an account number at an electronic device of the merchant;
  
  sending a first electronic message the authentication server from an electronic device of the issuer, wherein the first electronic message comprises the particular one-time password, and wherein the first electronic message requests a determination whether the particular one-time password is authorized for use in the transaction based on successful authentication of the user;
  
  receiving a response at an electronic device of the issuer from the authentication server of whether the one-time password is valid or invalid for use in the transaction between the user and the merchant depending upon whether the user is successfully authenticated;
  
  determining by an electronic device of the issuer whether the transaction should be approved or denied based in part on whether the authentication server indicates the particular one-time password is authorized for use in the transaction based on successful verification of the user; and
  
  sending a second electronic message from an electronic device of the issuer to the electronic device of the merchant, wherein the second electronic message includes a determination whether the transaction should be approved or denied.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Varadarajan, Rammohan, Malpani, Ambarish
Primary Examiner(s)
Agwumezie, Charles C

Application Number

US13/103,797
Publication Number

US 20110276495A1
Time in Patent Office

2,213 Days
Field of Search

705 71
US Class Current
CPC Class Codes

G06F 21/31   User authentication

G06F 21/335   for accessing specific reso...

G06F 2221/2103   Challenge-response

G06Q 20/382   insuring higher security of...

G06Q 20/3829   involving key management

G06Q 20/385   using an alias or single-us...

G06Q 20/40   Authorisation, e.g. identif...

G06Q 20/4014   Identity check for transact...

H04L 2209/56   Financial cryptography, e.g...

H04L 2463/062   applying encryption of the ...

H04L 63/0838   using one-time-passwords

H04L 9/0822   using key encryption key

H04L 9/321   involving a third party or ...

H04L 9/3228   One-time or temporary data,...

H04L 9/3271   using challenge-response

One-time use password systems and methods

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

One-time use password systems and methods

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links