Secure remote authentication through an untrusted network

US 8,826,397 B2
Filed: 01/15/2009
Issued: 09/02/2014
Est. Priority Date: 01/15/2009
Status: Active Grant

First Claim

Patent Images

1. A method for securely authenticating a user at an access device, said method comprising:

sending to a consumer device a dynamic data element and a set of transactional information for a payment transaction conducted between the consumer device and the access device;

receiving from the consumer device, an authentication code wherein the authentication code is created by the consumer device as a function of at least a subset of the set of transactional information, the dynamic data element, and a password, wherein the subset of the set of transactional information includes an amount of the payment transaction and a terminal identifier of the access device;

sending an authentication request message to a service provider containing at least the authentication code and additional information sufficient to allow the service provider to recreate the authentication code; and

receiving from the service provider an authentication response message wherein the authentication response message indicates if the recreated authentication code corresponds to the authentication code sent in the authentication request message.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for securely authenticating a user of a consumer device at an access device comprising the following steps. First, a dynamic data element and a first set of transactional information is sent to the consumer device from the access device. Next, the consumer device creates an authentication code as a function of at least the dynamic data element, a subset of the first set of transactional information, and a password. The authentication code, along with other data, is then sent from the consumer device back to the access device. The access device then uses the authentication code to send an authentication request message to the service provider of the user. The service provider then attempts to authenticate the user by recreating the authentication code and comparing the recreated authentication code with the authentication code received from the access device.

45 Citations

View as Search Results

27 Claims

1. A method for securely authenticating a user at an access device, said method comprising:
- sending to a consumer device a dynamic data element and a set of transactional information for a payment transaction conducted between the consumer device and the access device;
  
  receiving from the consumer device, an authentication code wherein the authentication code is created by the consumer device as a function of at least a subset of the set of transactional information, the dynamic data element, and a password, wherein the subset of the set of transactional information includes an amount of the payment transaction and a terminal identifier of the access device;
  
  sending an authentication request message to a service provider containing at least the authentication code and additional information sufficient to allow the service provider to recreate the authentication code; and
  
  receiving from the service provider an authentication response message wherein the authentication response message indicates if the recreated authentication code corresponds to the authentication code sent in the authentication request message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1 further comprising receiving from the service provider a second dynamic data element to be used in the creation of a new authentication code for a next authentication request message sent from the access device.
  - 3. The method of claim 1 wherein the function used to create the authentication code is a hash function.
  - 4. The method of claim 3 wherein an output of the hash function is truncated so that only a portion of the output is used to create the authentication code.
  - 5. The method of claim 1 wherein the password is a small value password if the set of transactional information indicates that the value of the transaction is below a threshold amount.
  - 6. The method of claim 5 wherein the small value password is stored in the consumer device so that the small value password does not need to be manually entered into the consumer device each time the small value password is used.
  - 7. The method of claim 1 wherein the password is a large value password if the first set of transactional information indicates that the value of the transaction is above a threshold amount.
  - 8. The method of claim 7 wherein the large value password is manually entered into the consumer device each time the large value password is used.
  - 9. The method of claim 1 wherein the recreated authentication code is created from at least a subset of the data contained in the authentication request message and data locally available to the service provider.
  - 10. The method of claim 1 wherein the consumer device is a personal computer and the access device is a server computer.
  - 11. The method of claim 10 wherein the access device sends information to and receives information from a web browser running on the consumer device.
  - 12. A non-transitory computer-readable storage medium having code stored thereon for performing the method of claim 1.
  - 13. An access device with a processor and the non-transitory computer-readable storage medium of claim 12.
  - 14. The method of claim 1 wherein the authentication code is created to protect the password from being exposed to third parties in route through an untrusted network of the access device.
  - 15. The method of claim 1 wherein the authentication code is created by the consumer device and transmitted through an untrusted network of the access device without using encryption techniques or transmitting encryption keys.
  - 16. The method of claim 1 wherein the service provider is adapted to look up the password based on username or transaction amount.

17. A method for securely authenticating a user of a consumer device at a service provider computer in an untrusted network, said method comprising:
- receiving at the service provider computer, an authentication request message containing at least an authentication code and additional information sufficient to allow the service provider to recreate the authentication code, wherein the authentication code is created by the consumer device by performing a function on at least three pieces of information including a dynamic data element, a password, and a subset of a set of transactional information for a payment transaction conducted between the consumer device and an access device, wherein the subset of the set of transactional information includes an amount of the payment transaction and a terminal identifier of the access device, wherein the function transforms the three pieces of information into a scrambled form for secure transmission through the untrusted network without using encryption techniques or transmitting encryption keys;
  
  recreating an authentication code as a function of at least the dynamic data element, the subset of information contained in the authentication request message, and other data locally available to the service provider, wherein the locally available data can be retrieved as a function of the data contained in the authentication request;
  
  comparing the recreated authentication code with the authentication code received in the authentication request message;
  
  authenticating the user based on the comparison of the recreated authentication code and the authentication code received in the authentication request message; and
  
  sending an authentication response message indicating the result of the authentication step to the access device.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 18. The method of claim 17 further comprising sending a second dynamic data element to the access device to be used in the creation of a new authentication code for a next authentication request message sent from the access device.
  - 19. The method of claim 17 wherein the function used to create the authentication code is a hash function.
  - 20. The method of claim 19 wherein an output of the hash function truncated so that only a portion of the output is used to create the authentication code.
  - 21. The method of claim 17 wherein the password is a small value password if the set of transactional information indicates that the value of the transaction is below a threshold amount.
  - 22. The method of claim 21 wherein the small value password is stored in the consumer device so that the small value password does not need to be manually entered into the consumer device each time the small value password is used.
  - 23. The method of claim 17 wherein the password is a large value password if the set of transactional information indicates that the value of the transaction is above a threshold amount.
  - 24. The method of claim 23 wherein the large value password is manually entered into the consumer device each time the large value password is used.
  - 25. The method of claim 17 wherein the consumer device is a personal computer and the access device is a server computer.
  - 26. A non-transitory computer-readable storage medium having code stored thereon for performing the method of claim 17.
  - 27. A server computer with a processor and the non-transitory computer-readable storage medium of claim 26.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Visa International Service Association (Visa, Inc.)
Original Assignee
Visa International Service Association (Visa, Inc.)
Inventors
Sheets, John F., Hurry, Simon
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Pan, Peiliang

Application Number

US12/354,242
Publication Number

US 20100180326A1
Time in Patent Office

2,056 Days
Field of Search

726 2- 32, 713/18, 713150-194, 713/200, 713/FOR.123, 713/FOR.125, 380/247
US Class Current

726/6
CPC Class Codes

G06Q 20/20   Point-of-sale [POS] network...

G06Q 20/3278   RFID or NFC payments by mea...

G06Q 20/382   insuring higher security of...

G06Q 20/3825   Use of electronic signatures

G06Q 20/385   using an alias or single-us...

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/805   Lightweight hardware, e.g. ...

H04L 63/083   using passwords cryptograph...

H04L 63/12   Applying verification of th...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

Secure remote authentication through an untrusted network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

45 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Secure remote authentication through an untrusted network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links