System and method for point of sale payment data credentials management using out-of-band authentication
First Claim
1. A method for authentication for accessing payment credentials in a system comprising a merchant, a user, a first channel payment application, a second channel device application, and an authentication server application having a provisioned user database and encrypted payload, wherein the method comprises:
- providing a login portal for accessing payment credentials by a merchant, said login portal being in communication with said first channel payment application;
establishing contact between the first channel payment application and the authentication server application wherein a new authentication session is started;
generating a session identification (“
ID”
) at the authentication server application, wherein the session ID is communicated to the first channel payment application through at least a first communications channel;
creating a transitory key at the first channel payment application and providing at least one authentication option for publishing the transitory key at a login screen of the login portal;
starting authentication by entering at least one credential on the second channel portable communications device application, wherein the second channel portable communications device application validates at least one credential and displays at least one authentication option;
using the second channel portable communications device application to receive a published transitory key and validate the first channel payment application;
using the second channel portable communications device application to receive the message from the first channel payment application and to validate the first channel payment application;
finding on the second channel portable communications device application at least one encrypted user credential with an encryption key from the transitory key;
sending the at least one encrypted credential and session ID from the second channel portable communications device application to the authentication server application via an outbound out-of-band communications channel;
validating the new authentication session;
sending an encrypted payload to the first channel payment application;
decrypting the encrypted payload at the first channel payment application using at least one of encryption key from the transitory key; and
extracting credentials from the decrypted payload at the first channel payment application.
6 Assignments
0 Petitions
Accused Products
Abstract
The invention provides an easy to use credential management mechanism for multi-factor out-of-band multi-channel authentication process to protect payment credentials without the risk of malware and skimming attacks. When opened, the secure payment application generates a multi-dimensional transitory key. The user authenticates the multi-dimensional transitory key and validates the secure payment application, triggering an out-of-band outbound mechanism. The portable mobile device invokes the authentication server and the authentication server authenticates the user based on the authenticated transitory key. After authentication, the merchant is allowed access to the payment credentials to complete the transaction. The process of the invention includes an authentication server, a secure payment application to generate an authentication vehicle or an embodiment (i.e. multi-dimensional transitory key) and handle incoming requests, and a portable communication device with a smartphone application.
17 Citations
20 Claims
-
1. A method for authentication for accessing payment credentials in a system comprising a merchant, a user, a first channel payment application, a second channel device application, and an authentication server application having a provisioned user database and encrypted payload, wherein the method comprises:
-
providing a login portal for accessing payment credentials by a merchant, said login portal being in communication with said first channel payment application; establishing contact between the first channel payment application and the authentication server application wherein a new authentication session is started; generating a session identification (“
ID”
) at the authentication server application, wherein the session ID is communicated to the first channel payment application through at least a first communications channel;creating a transitory key at the first channel payment application and providing at least one authentication option for publishing the transitory key at a login screen of the login portal; starting authentication by entering at least one credential on the second channel portable communications device application, wherein the second channel portable communications device application validates at least one credential and displays at least one authentication option; using the second channel portable communications device application to receive a published transitory key and validate the first channel payment application; using the second channel portable communications device application to receive the message from the first channel payment application and to validate the first channel payment application; finding on the second channel portable communications device application at least one encrypted user credential with an encryption key from the transitory key; sending the at least one encrypted credential and session ID from the second channel portable communications device application to the authentication server application via an outbound out-of-band communications channel; validating the new authentication session; sending an encrypted payload to the first channel payment application; decrypting the encrypted payload at the first channel payment application using at least one of encryption key from the transitory key; and extracting credentials from the decrypted payload at the first channel payment application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for authentication in a system comprising a merchant, a user, a secure point of sale (POS) application or plugin, a second channel portable communications device application, and an authentication server having a provisioned user database and an encrypted payload, wherein the method comprises:
-
detecting merchant intent to access payment credentials; establishing contact between the secure POS application or plugin and the authentication server wherein a new authentication session is started; generating a session identification (“
ID”
) at the authentication server, wherein the session ID is communicated to the secure POS application or plugin through at least a first communications channel;creating a multi-dimensional transitory key at the secure POS application or plugin, wherein the transitory key includes as least one dynamic encryption key, portal information, session ID, and a unique key, and providing an option to transmit the multi-dimensional transitory key; starting authentication by user entering credentials on the second channel portable communications device application, wherein the second channel portable communications device application validates the credential and provides authentication options; using the second channel portable communications device application to authenticate the multi-dimensional transitory key and validate the secure POS application or plugin; finding on the second channel portable communications device application at least one encrypted user credential with an encryption key from the multi-dimensional transitory key; sending the at least one encrypted user credential and the session ID from the second channel portable communications device application to the authentication server via an outbound out-of-band communications channel; checking in provisioned user database of the authentication server, wherein the new authentication session is validated; sending validation result from the authentication server to the second channel portable communications device application where the result is displayed; extracting and decrypting the at least one user credentials at the secure POS application or plugin; using at least one decrypted user credentials to access the payment credentials.
-
-
11. A system of user authentication for accessing payment credentials in a communications network, the system comprising:
-
a first channel payment application having programming for communication with a login portal and screen for access by a merchant; an hardware authentication server device having programming for establishing contact between the first channel payment application and the hardware authentication server device, wherein a new authentication session is started;
programming for generating a session identification (“
ID”
), and programming for communicating a session ID to the first channel payment application through at least a first communications channel;wherein the first channel payment application includes programming for creating a multi-dimensional transitory key to be published at the login screen; wherein the first channel payment application includes programming for authentication by receiving at least one user credential from a second channel portable communications device application, a second channel portable communications device application having programming for authentication, including programming for receiving at least one user credential and displaying at least one authentication option;
programming for authenticating the multi-dimensional transitory key published at the login screen;
programming for validating the first channel payment application;
programming for finding at least one encrypted user credential with an encryption key and/or user credential from the multi-dimensional transitory key; and
programming for sending the at least one encrypted user credential and session ID to the hardware authentication server device via an outbound out-of-band communications channel;wherein the hardware authentication server device further includes programming for checking a provisioned user database and validating the session ID;
programming for sending an encrypted payload to the first channel payment application;
programming for sending validation result to the second channel portable communications device application;wherein the first channel payment application includes programming for decrypting the encrypted payload at the secure payment application using at least one of the encryption keys from the multi-dimensional transitory key;
programming for extracting and decrypting the at least one encrypted user credential; and
programming for using at least one decrypted user credential to access at least one payment credential.- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A system of user authentication for accessing payment credentials in a communications network, the system comprising:
-
a secure payment application having an interface, adapter, and programming for detecting user intent to access an online account and establishing communication between the secure payment application and an hardware authentication server device to start a new authentication session; wherein the secure payment application includes programming that creates a multi-dimensional transitory key containing dynamic encryption keys, portal information, session identification “
ID”
, and a unique key and said multi-dimensional transitory key is published on an interface;
wherein the secure payment application holds the payment credentials in place pending authentication from the authentication server and after the new authentication session is validated; and
wherein the secure payment application includes programming to decrypt a payload from the hardware authentication server device and extract at least one user credential and to access the payment credentials using the decrypted user credentials,a second channel portable communications device application having programming for validating the user credentials entered by the user and displaying at least one authentication option for the multi-dimensional transitory key to validate the session; and
programming for finding at least one encrypted user credential with an encryption key from the multi-dimensional transitory key and sending the at least one encrypted user credential with the session ID to the hardware authentication server device; andthe hardware authentication server device having programming for establishing a connection with the secure payment application wherein the authentication server includes programming that generates a session ID and receives encrypted user credentials from the second channel portable communications device application via an outbound out-of-band communications channel;
programming to check in its provisioned user database for the user credentials; and
programming for validation of the new authentication session and sending an encrypted payload to the secure payment application.
-
Specification