JP2014508334A - Automatic user authentication, online checkout and electronic payment via mobile communication device with imaging system - Google Patents

Abstract

  The graphical authentication identifier is used to facilitate automatic user authentication, user checkout at a web store, or automatic electronic payment processing. The graphical identifier authentication system receives a request from an authentication entity for a disposable graphical authentication identifier. In response to the received request, a disposable graphical authentication identifier displayed by the authentication entity is generated. A request for user authentication information by the authentication entity is encoded in a graphical authentication identifier, which is sent to the authentication entity for display (eg, on a login screen). The registered user operation computing device captures the disposable graphical authentication identifier displayed by the authentication entity. In response, the requested user credentials are authenticated by the authenticating entity so that the user is automatically authenticated to the authenticating entity without manually entering the requested user credentials. Sent to.

Description

  The present disclosure relates generally to computer security, and more particularly to the use of graphical identifiers for automatic user authentication, automatic online checkout, and automatic electronic payments.

  Computer users typically log in to a number of different websites (bank sites, shopping sites, work-related sites, social network sites, etc.) each requiring a username and password. This frequent password-based login is inconvenient for the user and provides an opportunity for a malicious person to steal the password. The user has the option of using different passwords for each of the websites that he logs in or using the same password across multiple sites. Using different passwords for each site results in the user having to manage a large number of passwords. In such a situation, a situation may arise where the user may forget his password and therefore cannot log in to the desired site. To deal with this problem, some users write down their passwords where they can be accessed, which poses a security risk. Another partial solution is the use of a password manager, which only works on the computer where the password manager is installed or on a computer synchronized to the password manager. As a result, the user will not be able to log in to the website from other computers, such as an internal computer in a hotel business center, Internet cafe, or library.

  On the other hand, it is not desirable from the viewpoint of security to use the same password across a plurality of sites. If that single password is compromised, all of the user's accounts are vulnerable. Some users use the same password for each type of site (eg, one password is used for social networks and another password is used for financial sites). Again, it is difficult for many users to store their passwords. Also, using a limited number of different passwords still poses a significant security risk compared to using a unique password for each site.

  A malicious party can steal passwords by various methods such as phishing, keyloggers, network traffic monitoring, malicious browser plug-ins, and playback of passwords captured at other sites. Although the password manager prevents (and reduces phishing to some extent) passwords by keyloggers, users still remain vulnerable to other types of password misuse.

  It would be desirable to address these issues with password-based login.

  With the passage of laws requiring further security measures by financial institutions, two-factor authentication is becoming increasingly popular. Two-factor authentication is user authentication that requires two separate means to prove the user's identity. In one-factor authentication, the user can enter a single value, such as a rolling value generated by a biometric indicator such as a password (most commonly) or (alternatively) a physical token or fingerprint or retina. This element can prove your identity. In two-factor authentication, two such factors (eg, password and rolling value) must be provided. The most common form of two-factor authentication currently uses a static user input password as the first element, which includes a hardware key fob (such as RSA SecurID) or a special mobile device (Verisisign). A rolling value that is generated by a VIP and displayed to the user.

  These hardware devices continually generate new rolling values that are unique to the individual device. A rolling value is a dynamic value that is regenerated frequently (eg, every 30 seconds) or in response to a given event (eg, whenever the user presses a given input mechanism). is there. A hardware device of the type described above typically maintains the generation of one new rolling value per given period. Such a rolling value can be used for user authentication and can be viewed as a rolling password associated with a particular generating device. Such rolling values typically have a pseudo-random number of a given number of digits (eg, six) generated based on a seed value such as the current time or a series of previous values. The authenticator can generate the same current rolling value as the given generator at any given time (i.e., the authenticator can also use any key that is used to generate the seed or rolling value). Have). Thus, the authentication device can verify that the received rolling value is actually generated by a given device.

  The hardware device that generates the rolling value is not desirable for the user because it is yet another device that the user must carry. Furthermore, the user must type in the current rolling value and a static password, which is more burdensome than typing only the password. Also, these devices are not desirable for administrators and IT professionals because they are frequently lost, have limited battery life, and must be replaced cyclically. Although rolling value generation software also exists (eg, Verisign VIP), this still requires the user to manually enter the current rolling value, and the actual length of the possible rolling value Limitations exist.

  It would also be desirable to address these issues regarding two-factor authentication.

  Online retail sales in the United States are estimated to reach $ 248.7 billion by 2014, an increase of $ 60 billion from 2010. Despite the popularity of online sales, to complete an online purchase, the user still needs to type in his name, email address, credit card information, and shipping details. To make matters worse, most online retailers require users to create an account at their site, which results in additional steps and additional data entry processes for the user. Will be added. Furthermore, each time a user enters such information to facilitate online purchases, the user's confidential information is exposed to the risk of misuse by malware, keyloggers, and phishing websites.

  In some online retailers, a user with an account can save payment and shipping information and can select from pre-filled choices after logging into the web store. However, the user still needs to re-enter this information for each separate online merchant, and the user must log in to each specific web store each time he wants to make a purchase. There is. Paypal and Google allow users to enter their identity, payment, and shipping information once and then select Paypal or Google Checkout to complete online transactions with multiple web stores. This problem is alleviated to some extent. These services allow the user to select payment and shipping details from a menu and provide a payment notification to the web store along with the user's shipping details. Paypal and Google Checkout are a positive forward step compared to having to enter this information separately for each purchase at each web store, but each time a user performs a purchase, It still does not provide a means of checkout that does not require logging in. For example, a customer can visit a web store, add products to their cart, select checkout, and then select a Paypal or Google Checkout option. In this regard, the user must log in to his Paypal or Google Checkout account, and the user must manually enter a username and password each time a purchase is made.

  It would be desirable to address these challenges.

  Cash is disappearing from daily life as a means of payment. Carrying enough cash for every purchase is cumbersome and poses the risk of theft to people. The use of credit cards is becoming common for almost all purchases, both online and offline. Credit card payments solve the above-mentioned problems with cash, but bring about a series of its own problems such as proof of identity, credit card theft, credit card number theft, and card cloning. Become. Debit cards solve some of these challenges associated with credit cards as customers enter their PINs to prove their identity. That is, a stolen debit card is useless without a PIN. However, the thief can also make fake ATMs, and can attach a device that allows debit card cloning to a real ATM, which allows access to the PIN. it can. Various contactless payment systems have been developed that attempt to provide electronic payments such as Visa payWave and Mastercard PayPass. While these systems make it very difficult for a thief to clone a card, the other aforementioned problems associated with credit cards still exist.

  It would be desirable to address these challenges related to credit card payments.

  In this connection, people often exchange money for various reasons. For example, a person may borrow money from a friend and then return the money. A person may purchase an item from an individual after finding the item on, for example, a Craigslist. A person may give a gift of cash to a relative. Carrying and exchanging cash for these transactions is problematic for the reasons described above. Because most individuals do not have commercial accounts, it is difficult to pay individuals with a credit card. Paying individuals via PayPal is an excellent solution if the payee is set up to receive payments this way, but not all people are set up this way. Absent. Furthermore, in the case of PayPal, since the payer must know the e-mail address of the payee, anonymous payment cannot be executed.

  It would be desirable to address these challenges related to payments between individuals.

  The graphical identifier authentication system facilitates automatic user authentication using graphical authentication identifiers. The graphical identifier authentication system receives a request for a disposable graphical authentication identifier from an authentication entity. In some embodiments, the request from the authentication entity identifies the specific authentication information that the authentication entity is requesting. In some embodiments, an authentication entity is a website that requires a user to log in or otherwise enter authentication information. In response to the received request, a disposable graphical authentication identifier displayed by the authentication entity is generated. A request for user authentication information by the authentication entity is encoded in the graphical authentication identifier. In some embodiments, this further comprises the step of encoding in the graphical authentication identifier the identity of the specific authentication information that the authentication entity is requesting. In either case, the generated graphical authentication identifier is sent to the authentication entity for display (eg, on a login screen).

  The disposable graphical authentication identifier displayed by the authentication entity is captured by a registered user operation computing device (eg, mobile communication device). In response, the requested user authentication information is such that the user is automatically authenticated to the authenticating entity without manually entering the requested user authentication information. Sent to the authentication entity. More particularly, the graphical identifier authentication system includes a request for automatically completing user authentication to an authentication entity in response to the user-operated computing device capturing a disposable graphical authentication identifier displayed by the authentication entity. Is received from the user-operated arithmetic unit. In some embodiments, the request received from the user-operated computing device includes specific authentication information requested by the authentication entity. In other embodiments, the request specifies the authentication information that the authentication entity is requesting without including the authentication information itself.

  In some embodiments, the requested authentication information has a second factor authentication rolling value that is at least predictable by the authentication entity. In these examples, such second factor authentication rolling value is responsive to the user-operated computing device capturing the disposable graphical authentication identifier displayed by the authentication entity (eg, by the mobile communication device). Generated. The generated rolling value is then transmitted to the authenticating entity.

  The graphical identifier checkout system facilitates automatic checkout of users in the store using the graphical checkout identifier. The graphical identifier checkout system receives a request for a disposable graphical checkout identifier from a web store. In some embodiments, the request from the web store identifies the specific checkout completion information that the web store is requesting. In response to the received request, a disposable graphical checkout identifier displayed by the web store is generated. A request for checkout completion information by the web store is encoded in the graphical checkout identifier. In some embodiments, this further comprises encoding the ID of the specific checkout completion information that the web store is requesting in the graphical checkout identifier. In either case, the generated graphical checkout identifier is sent to the web store for display (eg, on a checkout screen).

  The registered user operation calculation device (for example, mobile communication device) captures the disposable graphical checkout identifier displayed by the web store. In response, the requested payment completion information is automatically sent to the web store by the user without manually logging into the web store or entering the requested payment completion information. It is sent to the web store so that it can be settled. More particularly, the graphical identifier checkout system is a request for automatically completing a user checkout at a web store in response to a user-operated computing device capturing a disposable graphical checkout identifier displayed by the web store. Is received from the user-operated arithmetic unit. In some embodiments, the request received from the user-operated computing device includes specific checkout completion information requested by the web store. In other embodiments, the request specifies the payment completion information requested by the web store without including the payment completion information itself.

  The graphical identifier payment system facilitates automatic processing of electronic payments from the user to the recipient using the graphical payment identifier. The graphical identifier payment system receives a request for a disposable graphical payment identifier from a payment processing entity. In some embodiments, the request from the payment processing entity identifies the specific payment information that the payment processing entity is requesting. In some embodiments, the payment processing entity is a POS (Point Of Sale) system. In other embodiments, the payment processing entity is a credit card terminal. In response to the received request, a disposable graphical payment identifier displayed by the payment processing entity is generated. A request for payment information by a payment processing entity is encoded in a graphical payment identifier. In some embodiments, this further comprises encoding the ID of the specific payment information that the payment processing entity is requesting in the graphical payment identifier. In either case, the generated graphical payment identifier is sent to the payment processing entity for display (eg, on a payment screen).

  The registered user-operated computing device (eg, mobile communication device) captures the disposable graphical payment identifier displayed by the payment processing entity. In response, an electronic payment is automatically made from the user to the recipient without the user manually entering the required payment information and without the user providing a physical credit card. As such, the requested payment information is sent to the payment processing entity. More particularly, the graphical identifier payment system is configured to provide a user-operated request for automatically processing electronic payments in response to the user-operated computing device capturing a disposable graphical payment identifier displayed by the payment processing entity. Receive from the arithmetic unit. In some embodiments, the request received from the user-operated computing device includes specific payment information requested by the payment processing entity. In other embodiments, the request specifies the payment information that the payment processing entity is requesting without including the payment information itself.

  In some embodiments, the graphical payment identifier is used to facilitate automatic processing of electronic payments from a paying user operating the first mobile device to a paying user operating the second mobile device. Yes. In these embodiments, the graphical identifier payment system receives a request for a disposable graphical payment identifier from the payment user's mobile device. In response, a graphical payment identifier encoding an offer to perform payment from the paying user to the paying user is transmitted to and displayed by the paying user's mobile device. The displayed graphical payment identifier is captured by the payee user's mobile device. In response, the payee user's mobile device sends a request to the graphical identifier payment system to begin processing the electronic payment. The graphical identifier payment system allows automatic payment from paying user to paying user without the payment user providing a physical credit card and without requiring the paying user to accept credit card payments. The request is sent to the payment processing entity to automatically process the electronic payment, so that it is executed automatically. The request for the payment processing entity can include actual payment information for both the paying user and the paying user. The graphical identifier payment system can receive confirmation from the payment processing entity that the payment has been processed and can send confirmation to both mobile devices for display to the user.

  The features and advantages described in this summary and in the following detailed description are not all-inclusive and are particularly numerous in light of the accompanying drawings, specification, and claims. These features and advantages will be apparent to those skilled in the art. Furthermore, the terms used herein are selected primarily for readability and teaching purposes, and are not selected to delineate or limit the inventive subject matter, It should be noted that this determination requires a claim.

1 is a block diagram of an exemplary network architecture that can implement a graphical identifier authentication system, graphical identifier settlement system, or graphical identifier payment system in accordance with some embodiments. FIG. FIG. 2 is a block diagram of a computer system suitable for implementing a graphical identifier authentication system, graphical identifier settlement system, or graphical identifier payment system in accordance with some embodiments. FIG. 3 is a block diagram of the operation of a graphical identifier authentication system according to some embodiments. 4 is a mockup screen shot of a website displaying a graphical authentication identifier according to some embodiments. FIG. 3 is an illustration of a mobile communication device that captures a displayed graphical authentication identifier in accordance with some embodiments. FIG. 3 is a block diagram of the operation of a graphical identifier checkout system according to some embodiments. 4 is a mock-up screen shot of a web store displaying a graphical checkout identifier according to some embodiments. FIG. 3 is an illustration of a mobile communication device that captures a displayed graphical checkout identifier according to some embodiments. FIG. 6 is a diagram of a mobile communication device displaying a transaction confirmation according to some embodiments. FIG. 3 is a block diagram of the operation of a graphical identifier payment system according to some embodiments. 1 is a diagram of a POS system displaying a graphical payment identifier according to some embodiments. FIG. FIG. 3 is an illustration of a mobile communication device that captures a displayed graphical payment identifier in accordance with some embodiments. FIG. 6 is a diagram of a mobile communication device displaying a transaction confirmation according to some embodiments. FIG. 7 is a block diagram of the operation of a graphical identifier payment system in which a payment mobile communication device performs payment to a receiving mobile communication device according to another embodiment. FIG. 3 is a diagram of a payer's mobile communication device displaying an input screen for performing payment to another user according to some embodiments. FIG. 4 is a diagram of a payer's mobile communication device displaying a graphical payment identifier in accordance with some embodiments. FIG. 6 is a diagram of a payee's mobile communications device displaying a transaction confirmation according to some embodiments.

  The accompanying drawings merely illustrate various embodiments for purposes of illustration. Those skilled in the art will readily appreciate from the following description that alternative embodiments of the structures and methods shown herein may be utilized without departing from the principles described herein. You will recognize.

  FIG. 1 is a block diagram illustrating an example network architecture 100 in which a graphical identifier authentication system 100 may be implemented. A graphical identifier settlement system 600 or graphical identifier payment system 1000 can also be implemented in such a network architecture 100, but this is not explicitly shown in FIG. The illustrated network architecture 100 includes a plurality of mobile communication devices 103A, 103B, and 103N, and a plurality of servers 105A and 105N. In FIG. 1, the graphical identifier authentication system 101 is shown as existing on the server 105 </ b> A, and its device agent 102 exists on each mobile communication device 103. This is only an example, and in various embodiments, the various functions of the system 101 (or graphical identifier payment system 600 or graphical identifier payment system 1000) can be configured as required by the mobile communication device 103. It should be understood that it can be instantiated on the server 105 or distributed among multiple computing devices.

  It should be understood that the mobile communication device 103 described herein has a portable computer system 210 that is capable of connecting to the network 107 and executing applications (such mobile communication devices 103 are often Many mobile phones that are also referred to as smartphones but are not labeled as such have these capabilities). Mobile communication device 103 and server 105 may be implemented by using a computer system 210 such as that shown in FIG. 2 and described below. The mobile communication device 103 and the server 105 are communicatively coupled to the network 107 via, for example, a network interface 248 described below in connection with FIG. The mobile communication device 103 can access the applicant and / or data on the server 105 by using, for example, a web browser or other client software (not shown).

  Although FIG. 1 shows three mobile communication devices 103 and two servers 105 as an example, in practice, a larger (or a smaller) number of mobile communication devices 103 and / or servers 105 are included. Can be deployed. In one embodiment, network 107 has the form of the Internet. In other embodiments, other networks 107 or network-based environments can be used.

  FIG. 2 is a block diagram of a computer system 210 suitable for implementing graphical identifier authentication system 101 (as shown) or graphical identifier settlement system 600 or graphical identifier payment system 1000 (not shown in FIG. 2). is there. Both the mobile communication device 103 and the server 105 can be implemented in the form of such a computer system 210. As shown, one component of computer system 210 is bus 212. Bus 212 is external to at least one processor 214, system memory 217 (eg, random access memory (RAM), read only memory (ROM), flash memory), input / output (I / O) controller 218, speaker system 220, and the like. One or more interfaces such as an audio output interface 222 communicatively coupled to an audio device, a display adapter 226 communicatively coupled to an external video output device such as a display screen 224, a serial port 230, USB (Universal Serial) Bus) receptacle 230, parallel port (not shown), etc., keyboard controller 233 communicatively coupled to keyboard 232, at least one hard disk 244 (or other) A storage interface 234 communicatively coupled to one or more forms of magnetic media, a floppy disk drive 237 configured to accept a floppy disk 238, and a FC (Fibre Channel) network 290. HBA (Host Bus Adapter) interface card 235 A, HBA interface card 235 B configured to connect to SCSI bus 239, optical disk drive 240 configured to accept optical disk 242, for example, via USB receptacle 228 A mouse 246 (or other pointing device) coupled to 212, for example, a modem 247 coupled to the bus via serial port 230, and , Communicatively coupled to other components of computer system 210, such as a network interface 248 that is directly coupled to the bus 212.

  Other components (not shown) may be connected in a similar manner (eg, document scanner, digital camera, printer, etc.). Conversely, not all of the components shown in FIG. 2 need to be present. The components can also be interconnected in different ways than those shown in FIG.

  The bus 212 allows data communication between the processor 214 and the system memory 217, and the system memory 217 may include ROM and / or flash memory and RAM as described above. The RAM is usually a main memory into which an operating system and application programs are read. The ROM and / or flash memory can contain a basic input-output system (BIOS) that controls certain basic hardware operations in addition to other codes. The application program can be stored on a local computer readable medium (eg, hard disk 244 or optical disk 242) and can be loaded into system memory 217 and executed by processor 214. The application program can also be loaded into the system memory 217 from a remote location (ie, the computer system 210 located at the remote location) via the network interface 248 or the modem 247, for example. In FIG. 2, the graphical identifier authentication system 101 is shown as being present in the system memory 217. Hereinafter, the operation of the graphical identifier authentication system 101 will be described in more detail with reference to FIGS.

  Storage interface 234 is coupled to one or more hard disks 244 (and / or other standard storage media). The one or more hard disks 244 may be part of the computer 210 or may be physically separate and accessed through other interface systems.

  Network interface 248 and / or modem 247 may be communicatively coupled to network 107 such as the Internet, either directly or indirectly. Such coupling can be wired or wireless.

  FIG. 3 illustrates the operation of the device identifier 102 residing in the system memory 217 of the mobile communication device 103 and the graphical identifier authentication system 101 residing in the system memory 217 of the server computer 105 according to some embodiments. As described above, the functionality of the device agent 102, the graphical identifier authentication system 101, the graphical identifier settlement system 600, or the graphical identifier payment system 1000 can reside on the mobile communication device 103, the server 105, or The target function may be distributed among a plurality of computer systems 210 including a computing environment based on the cloud that provides the service as a service on the network 107. The device agent 102 and the graphical identifier authentication system 101 are shown as a single entity in FIG. 3 (and so are the graphical identifier settlement system 600 and the graphical identifier payment system 100 of FIGS. 6 and 10). It should be understood that these components represent a collection of functions that can be instantiated as single or multiple modules, as appropriate. FIG. 3 illustrates the instantiation of specific modules of the device agent 102 and the graphical identifier authentication system 101. FIG. 6 illustrates the instantiation of specific modules of the device agent 102 and the graphical identifier settlement system 600. FIG. 10 illustrates the instantiation of specific modules of the device agent 102 and the graphical identifier payment system 1000.

  The modules of the device agent 102, the graphical identifier authentication system 101, the graphical identifier settlement system 600, and the graphical identifier payment system 1000 cause the computer system 210 to perform related functions as the processor 214 of the computer system 210 processes the module. In particular, it should be understood that it can be instantiated (eg, as object code or an executable image) in the system memory 217 (eg, RAM, ROM, flash memory) of any computer system 210. As used herein, the terms “computer system”, “computer”, “client”, “client computer”, “server”, “server computer”, “mobile communication device”, and “computing device” Means one or more computers configured and / or programmed to perform the functions described; Furthermore, program code for implementing the functions of these components can be stored on a computer-readable storage medium. In this context, computer-readable storage media having any form of entity such as magnetic or optical storage media may be used. The term “computer-readable storage medium” as used herein does not imply an electronic signal that is distinct from the underlying physical medium.

  As shown in FIG. 3, the graphical identifier authentication system 101 stores an username and password and provides an authentication method that frees the user from having to manually enter each site 301 to visit. It is possible. Instead, the user is authenticated by using a special graphical authentication identifier 303 displayed on the target site login screen 305. As will be described in more detail below, the graphical authentication identifier 303 is displayed on the user's personal mobile communication device 103 (for example, a smartphone or tablet computing device), for example, on an image reading device 307 (for example, a digital camera, a digital barcode reader, etc.). ) Is captured by. Once the graphical authentication identifier 303 is captured, the device agent 102 running on the mobile communication device 103 receives information from the site 301 for the user to provide authentication sensitive information (eg, user name and password, rolling value, etc.). The graphical authentication identifier 303 is interpreted as a request. The device agent 102 on the mobile communication device 103 then completes the authentication process for the user with the site 301 automatically through the back channel, as described in more detail below. To control.

  In FIG. 3, the graphical identifier authentication system 101 is shown as residing on a server 105 that is separate from any site 301 where a user is automatically authenticated via a graphical authentication identifier 303. In other embodiments, some or all of the functionality of the graphical identifier authentication system 101 can be provided directly by the computer 210 hosting the authentication site 301. However, in an embodiment running on a separate server 105 as shown in FIG. 3, the graphical identifier authentication system 101 can be used in the context of multiple authentication sites 301. The graphical identifier authentication system 101 is trusted between the mobile communication device 103 and the accessed site 301 to complete the authentication of the user by the site 301 (including two-factor authentication in some embodiments). Is mediating.

  Each user desiring to use the graphical authentication function obtains a mobile communication device 103 running the device agent 102. Such users authenticate themselves to the graphical identifier authentication system 101 and register themselves in the mobile communication device 103. The graphical identifier authentication system 101 can authenticate the user using any conventional authentication method (user name and password, ID check, bank transfer, credit card authentication, etc.). The graphical identifier authentication system 101 also reads a specific mobile that is operated by an authenticated user, for example, by reading unique identification information such as a serial number from the installed device agent 102 or the mobile communication device 103 itself. The communication device 103 is identified. The graphical identifier authentication system 101 can be used between a user and a particular mobile communication device 103 so that the graphical identifier authentication system 101 can later recognize authorized users and registered mobile communication devices 103. Saving the association.

  The graphical authentication identifier generation module 311 of the graphical identifier authentication system 101 generates a disposable graphical authentication identifier 303 used by the authentication site 301. The graphical authentication identifier has a notification of a request for authentication information from a specific site 301. The graphical authentication identifier 303 can be output as a visible image that can be captured and interpreted by the mobile communication device 103 running on the device agent 102. In one embodiment, the graphical authentication identifier 303 has a renderable QR code that can be embedded on a web page. In addition to QR codes, in other embodiments, simple barcodes, 2d barcodes (3-DI, ArrayTag, Aztec Code, Codeblock, Code 1, Code 16K, Code 49, Color Code, CP Code, DataGlyph, Data Matrix, Datastrip, Dot Code A, HCCB (Microsoft Tag), hueCode, Intercode. MaxiCode, MiniCode, PDF417, Snowflakes code, SuperCode, U1tracode) it can. The amount of information encoded within the graphical authentication identifier 303 can vary from site 301 to embodiment. The graphical authentication identifier 303 can encode the ID of the site 301 that issued the identifier and the notification of specific authentication information requested by the site. In other examples, the graphical authentication identifier 303 identifies the site 301, but the graphical identifier authentication system 101 and / or the device agent 102 keeps track of which site 301 is requesting which authentication information. ing. In either case, the graphical authentication identifier encoding module 312 encodes information in the graphical authentication identifier 303 so that the device agent 102 can interpret it, as will be described later.

  When the site 301 supporting the graphical authentication identifier 303 desires to authenticate the user (for example, at the time of reading the page including the login screen 305), the site 301 sends a request for the graphical authentication identifier 303 to the graphical identifier authentication system. Issue to 101. The receiving module 307 of the graphical identifier authentication system 101 on the server receives the request. In response to the received request, the graphical authentication identifier generation module 311 generates a disposable graphical authentication identifier 303 for the site 301. In some examples, the request identifies specific requested authentication information for encoding within the graphical authentication identifier 303. In another example, the graphical identifier authentication system 101 stores this information for each site 301 and encodes the information in the generated graphical authentication identifier 303. In yet other examples, this information is not encoded within the graphical authentication identifier 303, as described above. In any case, the transmission module 317 of the graphical identifier authentication system 101 transmits the generated graphical authentication identifier 303 to the requesting site 301.

  The site 301 receives the graphical authentication identifier 303 and processes the identifier to display the resulting image on its login screen 305. In some embodiments, the graphical authentication identifier 303 itself is only a request for authentication displayed by the site 301. In other embodiments, the graphical authentication identifier 303 is displayed in addition to a conventional prompt for at least some authentication information. For example, the user can be given an option to log in by manually entering information or using the graphical authentication identifier 303. In some embodiments, some authentication information (eg, a first authentication factor) is entered in a conventional manner, and some authentication information (eg, a second authentication factor) is a graphical authentication identifier. 303 is input. FIG. 4 shows a website login screen 305 displaying a graphical authentication identifier 303 and a conventional prompt 401 for the user name.

  When observing the login screen 305 of the site including the graphical authentication identifier 303, the user can automatically log in by using the registered mobile communication device 103. In some embodiments, the device agent 102 prompts the user to identify himself / herself in order to prevent unauthorized persons from using the stolen mobile device 103. Depending on the capabilities of the mobile device 103, the user's ID can be a 4-digit PIN (Personal Identification Number) entry or another conventional authentication such as fingerprint scanning, facial shape recognition, or other biometric authentication Can have a method. Once the user is identified at the mobile device 103 level, the user aims the image reader 307 of the mobile communication device 103 against the graphical authentication identifier 303 displayed on the site login screen 305 and reads the image Activate device 307 (eg, take or scan a digital photograph of graphical authentication identifier 303). The image reading device 307 captures the graphical authentication identifier 303 and the device agent graphical identifier interpretation module 313 interprets the information encoded therein as a request by the site 301 for authentication information. FIG. 5 illustrates a mobile communication device 103 that captures a graphical authentication identifier 303 according to some embodiments.

  The graphical identifier interpretation module 313 interprets the information encoded in the graphical authentication identifier 303, which, as described above, is usually the site 301 that is requesting authentication information and in some cases. Identifies the specific authentication information requested. In some embodiments, the graphical identifier interpretation module 313 displays a confirmation to the user that the graphical authentication identifier 303 has been successfully interpreted. In either case, the automatic authentication initiation module 315 of the device agent 102 communicates with the graphical identifier authentication system 101 to request that the graphical identifier authentication system 101 automatically complete user authentication, thereby Automatic user authentication for 301 is started.

  A receiving module 309 of the graphical identifier authentication system 101 on the server 105 receives a request from the mobile device 103 to automatically complete user authentication. In order to automatically complete the authentication of the user to the site 301, the sending module 317 of the graphical identifier authentication system 101 on the server 105 is responsive to the mobile device 103 associated with the user capturing the graphical authentication identifier 303. Then, the requested authentication information is transmitted to the site 301. In some cases, the automatic authentication initiation module 315 of the device agent 102 provides the requested authentication information to the graphical identifier authentication system 101 on the server 105. In some of these embodiments, the notification of authentication information requested by the site 301 is encoded in the graphical authentication identifier 303, which is interpreted at the mobile device 103 level, as described above. The In other such embodiments, the mobile device 103 keeps track of which site is requesting which authentication information. In other embodiments, the graphical identifier authentication system 101 on the server 105 stores registered user authentication information, and therefore does not need to receive the requested information from the mobile device, instead. Only the request to complete the authentication is received. In any case, the transmission module 317 automatically completes authentication by transmitting the requested authentication information to the site 301. This authentication information can be actively sent to the site 301 in response to the mobile device 103 capturing the graphical authentication identifier 303 or in response to a specific request from the site 301 itself. . When the site 301 receives the authentication information, the site 301 authenticates the user using the authentication information. Note that by using the graphical authentication identifier 303, the user is spared from having to manually enter authentication information.

  In some embodiments, the targeted authentication is one-factor authentication, in which case the sending module 317 typically has authentication information such as a username and password (or other single authentication factor). Is transmitted to the site 301. In other embodiments, authentication is two-factor, in which case the sending module 317 provides an appropriate current rolling value to the site 301 instead of or in addition to this, This frees the user from the need to manually enter rolling values. In this case, since it is not necessary to type in the rolling value, a rolling value longer than the conventional two-factor authentication is allowed.

  More specifically, in embodiments that support two-factor authentication, the rolling value generation module 319 of the device agent 102 has the ability to securely generate a rolling value that can be predicted by the supported authentication site 301 (ie, , The supported authentication site 301 has a corresponding seed required to generate a matching rolling value). In such an embodiment, when the current rolling value is part or all of the requested authentication information, the rolling value generation module 319 may use the graphical identifier authentication system 101 for use in the automatic authentication process. Generate the current rolling value sent for.

  Although the capture of the graphical authentication identifier 303 and the initiation of the automatic authentication process have been described above as being performed by the mobile device 103, in some embodiments, the user can authenticate the authentication site 301 from a computer system 210 other than the mobile device 103. Please understand that you can also interact with. For example, a user may be browsing the Internet on a desktop computer 210 (not shown), thereby reaching a website that requires a login that supports authentication based on the graphical authentication identifier 303. There is a possibility. The user can then use the registered mobile device 103 to capture the graphical authentication identifier 303 displayed on the website login screen 305 so that the process described above can be performed on a desktop computer. The user operating 210 will be automatically logged into the website. In some embodiments, some or all of the functions described as being performed by the mobile device 102 can be performed by a registered non-mobile computer 210. In some embodiments, the user can interact with the authentication site 301 from the mobile device 103 after authentication.

  Note that in some embodiments, the site 301 referenced herein is a website that requires a user login. However, in other embodiments, any functionality that requires the user to enter authentication information and graphically prompt the user to do so by using the functionality described herein. Users can be authenticated against entities. For example, a software application or hardware device that presents a login screen 305 to the user and that requires authentication information from the user can display a graphical authentication identifier 303 on the login screen 305, In addition, the user may be authenticated using the functions described above.

  Communications between the mobile device 103 and the graphical identifier authentication system 101 on the server 105 and between the graphical identifier authentication system 101 on the server 105 and the various authentication sites 301 are usually encrypted for security. Furthermore, since each graphical authentication identifier 303 can be used only once, communication cannot be reproduced normally. Communication between the mobile device 103 and the graphical identifier authentication system 101 on the server 105 can be implemented via SMS or other messaging service in examples where the mobile device 103 does not currently have access to the Internet. .

  As shown in FIG. 6, the graphical identifier settlement system 600 prompts the user from having to log in manually or enter payment and shipping information each time an online purchase from the web store 601 is performed. Enables automatic web store checkout procedures to be released. Instead, the user completes the online checkout process using a special graphical checkout identifier 603 displayed on the checkout screen 605 of the web store. As will be described in more detail below, the graphical checkout identifier 603 is displayed on the user's personal mobile communication device 103 (eg, a smartphone or tablet computing device) such as an image reader 307 (eg, digital camera or digital barcode reader). Captured by the device). Once the graphical checkout identifier 603 is captured, the device agent 102 running on the mobile communication device 103 interprets the graphical checkout identifier 603 as a request from the web store 601 for checkout completion information (eg, payment and shipping information). . The device agent 102 on the mobile communication device 103 then completes the checkout process with the web store 601 for the user automatically through the back channel, as will be described in more detail below. To control. Note that providing payment information (eg, credit number and expiration date, bank account number, etc.) to web store 601 is not the same as the actual execution of payment (eg, transfer of funds by a financial institution). . As used herein, the term “web store 601” refers to an online site where users can purchase goods or services.

  In FIG. 6, the graphical identifier settlement system 600 is shown as residing on a server 105 that is separate from any web store 601 that allows a user to complete a transaction via the graphical settlement identifier 603. In other embodiments, some or all of the functionality of the graphical identifier settlement system 600 can be provided directly by the computer 210 hosting the web store 601. However, in an embodiment running on a separate server 105 as shown in FIG. 6, the graphical identifier settlement system 600 can be used in connection with multiple web stores 601. The graphical identifier settlement system 600 mediates trust between the mobile communication device 103 and the accessed web store 601 to complete the user's checkout at the web store 601.

  Each user who desires to use the graphical checkout function described herein obtains a mobile communication device 103 running a device agent 102. Such a user registers in the graphical identifier settlement system 600. To register a user, the graphical identifier checkout system 600 authenticates the user and identifies the user's mobile communication device 103. The graphical identifier settlement system 600 can authenticate the user using any conventional authentication method (user name and password, ID check, bank transfer, credit card authentication, etc.). In order to identify a particular mobile communication device 103 being operated by an authenticated user, the graphical identifier checkout system 600 can identify a unique number, such as a serial number from the installed device agent 102 or the mobile communication device 103 itself, for example. Identification information can be read. Registered users can provide settlement completion information (eg, credit card information, bank account information, and / or actual payment methods such as PayPal, shipping address, etc.) to the graphical identifier settlement system 600. The graphical identifier settlement system 600 can recognize the registered user and the mobile communication device 103 later and process the associated settlement completion information so that the user, the particular mobile communication device 103, and Save the association between user checkout completion information, if provided.

  The graphical settlement identifier generation module 311 of the graphical identifier settlement system 600 generates a disposable graphical settlement identifier 603 used by the web store 601. The graphical checkout identifier has a notification of a request for checkout completion information from a specific web store 601. The graphical checkout identifier 603 can be output as a visible image that can be captured and interpreted by the mobile communication device 103 running the device agent 102. In one embodiment, the graphical checkout identifier 603 has a renderable QR code that can be embedded on a web page. In addition to QR Code, in other embodiments, a simple barcode, 2d barcode (3-DI, ArrayTag, Aztec Code, Codeblock, Code 1, Code 16K, Code 49, ColorCode, CP Code, DataGlyph, Data Matrix, Datastrip, Dot Code A, HCCB (Microsoft Tag), hueCode, Inta.Code, MaxiCode, MiniCode, PDF 417, Snowflake code, SuperCode, Ultracode) Can do. The amount of information encoded in the graphical checkout identifier 603 may vary from web store 601 and embodiment. The graphical settlement identifier 603 can encode the ID of the web store 601 to which the identifier is issued and the notification of specific settlement completion information requested by the web store 601. In other examples, the graphical checkout identifier 603 identifies the web store 601, but the graphical identifier checkout system 600 and / or device agent 102 indicates which checkout completion information is requested by which web store 601. Keep track of. In either case, the graphical checkout identifier encoding module 312 encodes information within the graphical checkout identifier 603 so that it can be interpreted by the device agent 102, as described below.

  When the web store 601 that supports the graphical checkout identifier 603 desires user checkout (for example, when a page including the checkout screen 605 is read), the web store 601 issues a request for the graphical checkout identifier 603. Issued to the graphical identifier settlement system 600. The receiving module 307 of the graphical identifier settlement system 600 on the server receives the request. In response to the received request, the graphical checkout identifier generation module 311 generates a disposable graphical checkout identifier 603 for the web store 601. In some examples, the request identifies specific requested checkout completion information for encoding in graphical checkout identifier 603. In other examples, the graphical identifier settlement system 600 stores this information for each web store 601 and encodes this information within the generated graphical settlement identifier 603. In yet other examples, this information is not encoded within the graphical checkout identifier 603, as described above. In any case, the transmission module 317 of the graphical identifier settlement system 600 transmits the generated graphical settlement identifier 603 to the web store 601 that is the request source. Further, in some embodiments, the web store 601 provides confirmation details (eg, descriptions, items in the user's cart, respective prices, total price, etc.) to the graphical identifier checkout system 600 regarding the user's transaction. It provides for. As described below, this information can be used to confirm transactions with the user.

  Web store 601 receives graphical settlement identifier 603 from graphical identifier settlement system 600 and processes the identifier to display the resulting image on its settlement screen 605. In some embodiments, the graphical checkout identifier 603 itself is only a request for payment completion by the web store 601. In other embodiments, the graphical checkout identifier 603 is displayed in addition to the conventional prompt for at least some checkout completion information. For example, the user can be given the option to settle by entering the settlement information manually or by using the graphical settlement identifier 603. FIG. 7 shows a settlement screen 605 of the web store 601 that displays the graphical settlement identifier 603.

  When the user observes the checkout screen 605 of the web store including the graphical checkout identifier 603, the user can automatically complete the checkout by using the registered mobile communication device 103. In some embodiments, the device agent 102 prompts the user to identify itself to prevent unauthorized persons from using the stolen mobile device 103. Depending on the capabilities of the mobile device 103, this user ID may be a 4-digit PIN (Personal Identification Number) entry, or another conventional authentication such as fingerprint scanning, facial shape recognition, or other biometric authentication. Can have a method. Once the user is identified at the level of the mobile device 103, the user aims the image reading device 307 of the mobile communication device 103 against the graphical checkout identifier 603 displayed on the checkout screen 605 of the web store, and the image Activate reader 307 (e.g., take or scan a digital photograph of graphical checkout identifier 603). The image reading device 307 captures the graphical checkout identifier 603, and the device agent's graphical identifier interpretation module 313 interprets the information encoded therein as a request for checkout completion information by the web store 601. FIG. 8 illustrates a mobile communication device 103 that captures a graphical checkout identifier 603 according to some embodiments.

  The graphical identifier interpretation module 313 interprets the information encoded in the graphical checkout identifier 603, which, as described above, is usually the web store 601 that is requesting checkout completion information and some In this case, the specific settlement completion information requested is identified.

  In some embodiments, the transaction confirmation module 607 of the device agent 102 displays the transaction confirmation to the user. The transaction confirmation may display much or less information that is needed (eg, the name of the web store 601 and the transaction total, a delivery note of the completed web store 601 with individual items, etc.). As described above, this type of confirmation information can be provided from the web store 601 to the graphical identifier settlement system 600 and then from the graphical identifier settlement system 600 to the device agent 102. In some embodiments, the transaction confirmation module 607 may provide options for performing a transaction confirmation or cancellation and / or a stored payment method and / or shipping address to use (eg, from a drop-down menu). ) The user is given an option to select. FIG. 9 illustrates a mobile communication device 103 displaying a transaction confirmation according to some embodiments.

  Once the graphical checkout identifier 603 has been interpreted (as well as after any optional transaction confirmation operation), the automatic checkout initiation module 315 of the device agent 102 communicates with the graphical identifier checkout system 600 so that the graphical identifier checkout system 600 can be By requesting that the user's payment be automatically completed at the store 601, the user's automatic payment at the web store 601 is started. A receiving module 309 of the graphical identifier settlement system 600 on the server 105 receives a request from the mobile device 103 to automatically complete the user settlement. In order to automatically complete the checkout of the user at the web store 601, the sending module 317 of the graphical identifier checkout system 600 on the server 105 responds to the mobile device 103 associated with the user capturing the graphical checkout identifier 603. Then, the requested payment completion information is transmitted to the web store 601. In some cases, the automatic checkout module 315 of the device agent 102 provides the requested checkout completion information to the graphical identifier checkout system 600 on the server 105. In some of these embodiments, a checkout completion notification requested by the web store 601 is encoded in the graphical checkout identifier 603, as described above, at the level of the mobile device 103. Is interpreted. In other such embodiments, the mobile device 103 keeps track of which web store 601 is requesting which checkout completion information. In other embodiments, the graphical identifier reimbursement system 600 on the server 105 stores reimbursement completion information for registered users, and therefore does not need to receive the requested information from the mobile device, instead In addition, only a request for completing the settlement is received.

  In any case, the transmission module 317 automatically completes the settlement by transmitting the requested settlement completion information to the web store 601. This checkout completion information is actively transmitted to the web store 601 in response to the mobile device 103 capturing the graphical checkout identifier 603 or in response to a specific request from the web store 601 itself. Can do. When the web store 601 receives the payment completion information, the web store 601 uses the payment completion information to complete the user's payment. Note that by using the graphical checkout identifier 603, the user is spared from having to manually log in to the web store 601 or enter checkout completion information.

  Although the capture of the graphical checkout identifier 603 and the start of the automatic checkout process have been described above as being performed by the mobile device 103, in some embodiments, the user can access the web store 601 from a computer system 210 other than the mobile device 103. Please understand that you can interact with. For example, a user may be shopping on the Internet using a desktop computer 210 (not shown) and reaches a checkout screen 605 of a web store 601 that supports a graphical checkout identifier 603. There is a possibility of doing. The user can then use the registered mobile device 103 to capture the graphical checkout identifier 603 displayed on the checkout screen 605 of the web store, so that the process described above allows the user to capture the graphical checkout identifier 603. The checkout process will be completed automatically. In some embodiments, some or all of the functions described as being performed by the mobile device 102 may be performed by a registered non-mobile computer 210. In some embodiments, the user interacts with the web store 601 from the mobile device 103 after checkout.

  Communications between the mobile device 103 and the graphical identifier settlement system 600 on the server 105 and between the graphical identifier settlement system 600 on the server 105 and the various web stores 601 are typically encrypted for security. Furthermore, since each graphical settlement identifier 603 can be used only once, communication cannot be reproduced normally. Communication between the mobile device 103 and the graphical identifier settlement system 600 on the server 105 may be performed via SMS or other messaging service in examples where the mobile device 103 does not currently have access to the Internet. .

  As shown in FIG. 10, the graphical identifier payment system 1000 uses cash, carries or reads a credit card, or manually enters payment information each time a payment is made. It enables an automatic payment procedure that frees the user from having to do that. Instead, the user completes the electronic payment process using a special graphical payment identifier 1003 displayed by the payment processing entity (eg, on the payment screen 1005 or statement). As will be described in more detail below, the graphical payment identifier 1003 is an image reader 307 (eg, digital camera, digital barcode reader) on the user's personal mobile communication device 103 (eg, smartphone, tablet computing device, etc.). Etc.). Once the graphical payment identifier 1003 is captured, the device agent 102 running on the mobile communication device 103 interprets the graphical payment identifier 1003 as a request from the payment processing entity 1001 for payment information. The device agent 102 on the mobile communication device 103 then controls the graphical identifier payment system 1000 to automatically process the payment over the back channel, as described in more detail below.

  In FIG. 10, the graphical identifier payment system 1000 is separate from any payment processing entity 1001 where payment is performed via the graphical payment identifier 1003 and is separate from any merchant receiving such payment. 105 is shown as being present. In other embodiments, some or all of the functionality of the graphical identifier payment system 1000 can be provided directly by the computer 210 hosting the payment processing entity 1001 and / or the target merchant. However, in an embodiment running on a separate server 105 as shown in FIG. 10, the graphical identifier payment system 1000 can be used in connection with multiple payment processing entities 1001. The graphical identifier payment system 1000 mediates trust between the mobile communication device 103 and the payment processing entity 1001 to process user payments.

  Each user who desires to use the graphical payment function described herein acquires a mobile communication device 103 running a device agent 102. Such a user registers with the graphical identifier payment system 1000. To register a user, the graphical identifier payment system 1000 authenticates the user and identifies the user's mobile communication device 103. The graphical identifier payment system 1000 can authenticate the user using any conventional authentication method (user name and password, ID check, bank transfer, credit card authentication, etc.). In order to identify a particular mobile communication device 103 being operated by an authenticated user, the graphical identifier payment system 1000 can identify a unique number, such as a serial number from the installed device agent 102 or the mobile communication device 103 itself, for example. Identification information can be read. Registered users can provide payment information such as actual payment methods (eg, credit card information, bank account information, and / or PayPal account information) to the graphical identifier payment system 1000. The graphical identifier payment system 1000 can recognize the registered user and the mobile communication device 103 later and process the payment using the associated payment information so that the user, the specific mobile communication device 103, And, if provided, store the association between the user's payment information.

  The graphical payment identifier generation module 311 of the graphical identifier payment system 1000 generates a disposable graphical payment identifier 1003 for use by the payment processing entity 1001. In this context, the graphical payment identifier has a notification of a request for payment information from a particular payment processing entity 1001. The graphical payment identifier 1003 can be output as a visible image that can be captured and interpreted by the mobile communication device 103 running on the device agent 102. In one embodiment, the graphical payment identifier 1003 has a renderable QR code that can be embedded on a web page. In addition to QR codes, in other embodiments, simple barcodes, 2d barcodes (3-DI, ArrayTag, Aztec Code, Codeblock, Code 1, Code 16K, Code 49, Color Code, CP Code, DataGlyph, Data Matrix, Datastrip, Dot Code A, HCCB (Microsoft Tag), hueCode, Inta.Code, MaxiCode, MiniCode, PDF 417, Snowflake code, SuperCode, Ultracode) Can do. The amount of information encoded in the graphical payment identifier 1003 may vary for each payment processing entity 1001 and implementation. The graphical payment identifier 1003 can encode the ID of the payment processing entity 1001 to which the identifier is issued and a notification of specific payment information that the payment processing entity is requesting. In other examples, the graphical payment identifier 1003 identifies the payment processing entity 1001, but the graphical identifier payment system 1000 and / or the device agent 102 requires which payment processing entity 1001 is requesting which payment information. Is tracking. In either case, the graphical payment identifier encoding module 312 encodes information within the graphical payment identifier 1003 so that the device agent 102 can interpret it, as described below.

  When the payment processing entity 1001 that supports the graphical payment identifier 1003 attempts to accept payment from the user (eg, at the time of loading a page containing the payment screen 1005), the payment processing entity 1001 A request is issued to the graphical identifier payment system 1000. The receiving module 307 of the graphical identifier payment system 1000 on the server receives the request. In response to the received request, the graphical payment identification generation module 311 generates a disposable graphical payment identifier 1003 for the payment processing entity 1001. In some examples, the request identifies specific requested payment information for encoding within graphical payment identifier 1003. In other examples, the graphical identifier payment system 1000 stores this information for each payment processing entity 1001 and encodes the information within the generated graphical payment identifier 1003. In yet other examples, this information is not encoded within the graphical payment identifier 1003, as described above. In any case, the transmission module 317 of the graphical identifier payment system 1000 transmits the generated graphical payment identifier 1003 to the requesting payment processing entity 1001. Further, in some embodiments, payment processing entity 1001 provides further statement details (eg, description, item, respective price, total price, etc.) for the current transaction to graphical identifier payment system 1000. provide. As described below, this information can be used to confirm transactions with the user.

  The payment processing entity 1001 receives the graphical payment identifier 1003 and processes the identifier, for example, to display the resulting image on the payment screen 1005. In some embodiments, the graphical payment identifier 1003 itself is only a request for payment displayed by the payment processing entity 1001. In other embodiments, the graphical payment identifier 1003 is displayed in addition to a conventional prompt for at least some payment information. For example, the user may be given the option to make a payment by entering payment information as before (eg, by loading a credit card) or by using the graphical payment identifier 1003. it can. In some embodiments, payment processing entity 1001 displays graphical payment identifier 1003 on physical media, such as a printed statement, instead of on the screen. FIG. 11 illustrates a payment screen 1005 of a POS device 1101 that displays a graphical payment identifier 1003 according to some embodiments, along with a conventional mechanism 1103 for causing a credit card to be read.

  When a user is observing a payment processing entity payment screen 1005 (or other output mechanism) that includes a graphical payment identifier 1003, the user automatically makes a payment by using the registered mobile communication device 103. Can be executed. In some embodiments, the device agent 102 prompts the user to identify himself / herself to prevent unauthorized persons from using the stolen mobile device 103. Depending on the capabilities of the mobile device 103, this user ID may be a 4-digit PIN (Personal Identification Number) entry, or another conventional authentication such as fingerprint scanning, facial shape recognition, or other biometric authentication. Can have a method. If the user is identified at the level of the mobile device 103, the user aims the image reader 307 of the mobile communication device 103 against the graphical payment identifier 1003 displayed by the payment processing entity 1001 and the image reader 307. (E.g., take or scan a digital image of the graphical payment identifier 1003). Image reader 307 captures graphical payment identifier 1003 and device agent graphical identifier interpretation module 313 interprets the information encoded therein as a request for payment information by payment processing entity 1001. FIG. 12 illustrates a mobile communication device 103 that captures a graphical payment identifier 1003 according to some embodiments.

  The graphical identifier interpretation module 313 interprets the information encoded in the graphical payment identifier 1003, which, as described above, typically includes the payment processing entity 1001 requesting payment information and some In this case, the specific payment information requested is identified.

  In some embodiments, the transaction confirmation module 607 of the device agent 102 displays the transaction confirmation to the user. The transaction confirmation may display much or less information that is needed (eg, the name of the merchant being paid and the transaction total, a completed statement with individual items, etc.). As described above, this type of transaction information can be provided from the payment processing entity 1001 to the graphical identifier payment system 1000 and from the graphical identifier payment system 1000 to the device agent 102. In some embodiments, the transaction confirmation module 607 is for selecting (eg, from a drop-down menu) an option for performing a transaction confirmation or cancellation and / or a payment method stored for use. A choice is given to the user. FIG. 13 illustrates a mobile communication device 103 displaying a transaction confirmation 1301 according to some embodiments.

  Once the graphical payment identifier 1003 has been interpreted (and after any optional transaction confirmation operation), the automatic payment initiation module 315 of the device agent 102 communicates with the graphical identifier payment system 1000 to allow the graphical identifier payment system 1000 to pay. Automatic payment from the user is initiated by requesting that the payment from the user to the other party (eg, merchant) be automatically processed through the processing entity 1001.

  A receiving module 309 of the graphical identifier payment system 1000 on the server 105 receives a request from the mobile device 103 to automatically process the user's payment. In order to automatically process the payment, the sending module 317 of the graphical identifier payment system 1000 on the server 105 is requested in response to the mobile device 103 associated with the user capturing the graphical payment identifier 1003. Payment information to be sent to the payment processing entity 1001. In some cases, the automatic payment initiation module 315 of the device agent 102 provides the requested payment information to the graphical identifier payment system 1000 on the server 105. In some of these embodiments, a notification of payment information requested by the payment processing entity 1001 is encoded in the graphical payment identifier 1003, which is interpreted at the level of the mobile device 103 as described above. Is done. In other such embodiments, the mobile device 103 keeps track of which payment processing entity 1001 is requesting which payment information. In other embodiments, the graphical identifier payment system 1000 on the server 105 stores registered user payment information, and therefore does not need to receive the requested information from the mobile device, instead. Receives only requests to process payments. In any case, the sending module 317 automatically processes the user's payment by sending the requested payment information to the payment processing entity 1001. This payment information is actively sent to the payment processing entity 1001 in response to the mobile device 103 capturing the graphical payment identifier 1003 or in response to a specific request from the payment processing entity 1001 itself. be able to. When payment processing entity 1001 receives payment information, payment processing entity 1001 uses the payment information to perform payment from the user to the recipient. Note that by using the graphical payment identifier 1003, the user is spared from using cash, carrying or reading a credit card, or entering payment information manually. .

  It should be understood that the payment processing entity 1001 performs payment to the recipient electronically (eg, via credit card, electronic funds transfer, PayPal, etc.). The payment processing entity 1001 is configured to electronically process the execution of payment from the user to the recipient and is configured to display information to the user on the screen and / or by printing a statement. Can have any entity. Examples of payment processing entities 1001 are POS systems and credit card terminals. Examples of payment recipients are merchants, physical retail stores, wholesalers, web stores, and the like. Some payment processing entities 1001 can be associated with a single payment recipient (eg, a POS system located at a store), others are many different recipients (eg, credit card terminals). Can process payments against. The processing of the actual payment execution (eg the transfer of funds between financial institutions and the actual execution of credit card transactions) is simply performed by the web store for subsequent processing by a third party, for example, payment information (eg Note that it is not the same as receiving a credit number and expiration date or bank account number).

  FIG. 14 illustrates an implementation in which an individual can automatically make an electronic payment to another individual using the graphical identifier payment system 1000 as opposed to performing a payment to a commercial recipient. The form is shown. In this case, the payer's mobile device 102 displays a graphical payment identifier 1003 that can be captured by the payee's mobile device 102. Once the graphical payment identifier 1003 is captured, the payee's mobile communication device 102 communicates with the graphical identifier payment system 1000 on the server 105, which processes the payment through the back channel. Both the payer and the payee operate the mobile communication device 103 running on the device agent 102. All of these users are registered in the graphical identifier payment system 1000 as described above.

  When the user wishes to make a payment to another individual using the graphical payment identifier 1003, the user operates his mobile device 103 and the device agent 102 enters the payment amount and the correct payment method. And (optionally from the drop-down menu) and optionally prompt the user to enter a transaction description. FIG. 15 illustrates a payer's mobile communication device 103 displaying an input screen 1501 for performing payment for another individual according to one embodiment.

  When the user enters this information, the device agent executes a request for graphical payment identifier 1003 to graphical identifier payment system 100 as described above. In response, the graphical payment identifier generation module 311 generates a disposable graphical payment identifier 1003 as described above, but in this scenario, the graphical payment identifier 1003 is used by the payer's mobile communication device 103. And has a notification of an offer to make a payment. In some examples, the graphical payment identifier generation function is instantiated on the server 105 as shown, but in other cases it is a module of the device agent 102 that is the payer's mobile communication. An instance is generated on the device 103.

  The graphical payment identifier 1003 is output by the payer's mobile communication device 103 as a visible image that can be captured and interpreted by the payee's mobile communication device 103. The amount of information encoded in the graphical payment identifier 1003 in this scenario can vary, but the ID of the registered payer and / or payee, the amount of payment, one or both sides Data such as correct payment information, and optionally further descriptive information about the payment, may be included. FIG. 16 illustrates a payer's mobile communication device 103 displaying a graphical payment identifier 1003 according to one embodiment.

  The payee aims the image reading device 307 of his / her mobile communication device 103 against the graphical payment identifier 1003 displayed by the payee's mobile communication device 103 and activates the image reading device 307. Can accept payment automatically. The image reader 307 captures the graphical payment identifier 1003, and the graphical identifier interpretation module 313 of the device agent 102 on the payee's mobile device 103 performs the payment with the information encoded therein. As an offer by the payer's mobile device 103. Once the graphical payment identifier 1003 is interpreted, the automatic payment initiation module 315 of the device agent 102 on the payee's mobile device 103 communicates with the graphical identifier payment system 1000 so that the graphical identifier payment system 1000 automatically processes the payment. Initiate automatic payments by requesting to do so.

  A request from the payee's mobile device 103 to automatically process the payment is received by the receiving module 309 of the graphical identifier payment system 1000 on the server 105. To automatically process the payment, the sending module 317 of the graphical identifier payment system 1000 on the server 105 is responsive to the payee's mobile device 103 associated with the user capturing the graphical payment identifier 1003. , Send the actual payment information on both sides to the appropriate payment processing entity 1001. The graphical identifier payment system 1000 is in electronic communication with the payment processing entity 1001 to make payments from payers to payees (eg, by transferring funds between their individual bank accounts, or otherwise). Execute by utilizing their individual actual payment information). The actual payment information for each side can be tracked by the graphical identifier payment system 1000, can be provided by the appropriate mobile communication device 103, and / or encoded within the graphical payment identifier 1003. be able to.

  Once the payment has been processed, the receiving module 307 of the graphical identifier payment system 1000 typically receives a confirmation from the payment processing entity 1001, and in response, the sending module 317 of the graphical identifier payment system 1000 typically receives the confirmation. To both mobile communication devices, which can display confirmation information to the user. FIG. 17 illustrates a payee's mobile communication device 103 displaying a transaction confirmation 1501 according to one embodiment. Using the graphical payment identifier 1003, an individual can carry or exchange cash, carry or read a credit card, accept payment by credit card, and / or manually enter payment information Note that payment can be made to another individual without the need to do so.

  Communication between the mobile device 103 and the graphical identifier payment system 1000 on the server 105 and between the graphical identifier payment system 1000 on the server 105 and the various payment processing entities 1001 is typically encrypted for security. Furthermore, since each graphical payment identifier 1003 can only be used once, the communication cannot be reproduced normally. Communication between the mobile device 103 and the graphical identifier payment system 1000 on the server 105 can be performed via SMS or other messaging service in examples where the mobile device 103 does not currently have access to the Internet. .

  As will be appreciated by those skilled in the art, the present invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. Similarly, specific naming and partitioning of parts, modules, agents, managers, components, functions, procedures, operations, layers, features, attributes, methods, data structures, and other aspects are not essential and important. Therefore, the mechanisms implementing the present invention or its functions may have different names, divisions and / or formats. The foregoing description has been described with reference to specific embodiments for purposes of explanation. However, the above exemplary description is not intended to be exhaustive or limited to the disclosed forms. Many modifications and variations are possible in light of the above teaching. These embodiments best describe the relevant principles and their practical application, and thus vary with or without various modifications appropriate to the particular usage envisioned by those skilled in the art. The preferred embodiments have been selected and described in order to make the best use of them.

Claims (20)

A computer-implemented method for automatically authenticating a user using a graphical authentication identifier, comprising:
Generating a disposable graphical authentication identifier displayed by the authentication entity by at least one computer;
Encoding a request for user authentication information by the authentication entity into the disposable graphical authentication identifier by the at least one computer;
In response to a registered user operation computing device capturing the disposable graphical authentication identifier displayed by the authentication entity, without the user manually entering the requested user authentication information Transmitting the requested user authentication information to the authentication entity by the at least one computer so that the user is automatically authenticated to the authentication entity;
Having a method. Receiving by the at least one computer a request for a graphical authentication identifier from the authentication entity;
Transmitting the generated graphical authentication identifier to the authentication entity by the at least one computer;
The method of claim 1 further comprising: The step of encoding a request for the user authentication information into the disposable graphical authentication identifier comprises:
The method of claim 1, further comprising: encoding at least one computer an ID of specific authentication information requested by the authentication entity.   Responsive to the user manipulation computing device capturing the disposable graphical authentication identifier displayed by the authentication entity, a request for automatically completing authentication of the user against the authentication entity is provided. The method of claim 1, further comprising receiving by the at least one computer from a device. The requested authentication information has at least a second factor authentication rolling value predictable by the authentication entity, the method comprising:
The method further comprises generating a predictable second factor authentication rolling value in response to the user manipulation computing device capturing the disposable graphical authentication identifier displayed by the authentication entity. The method according to 1. A computer-implemented method that uses a graphical checkout identifier to automatically check users at a web store,
Generating at least one computer a disposable graphical checkout identifier displayed by the web store;
Encoding the request for checkout completion information by the web store by the at least one computer in the disposable graphical checkout identifier;
In response to a registered user-operated computing device capturing the disposable graphical checkout identifier displayed by the web store, the user manually logs into the web store or the requested checkout Sending the requested settlement completion information to the web store by the at least one computer so that the user is automatically settled at the web store without entering completion information;
Having a method. Receiving by the at least one computer a request for a graphical checkout identifier from the web store;
Transmitting the generated graphical checkout identifier to the web store by the at least one computer;
The method of claim 6 further comprising: The step of encoding a request for the checkout completion information into the disposable graphical checkout identifier comprises:
7. The method according to claim 6, further comprising: encoding, by the at least one computer, an ID of specific checkout completion information requested by the web store.   In response to the user manipulation computing device capturing the disposable graphical checkout identifier displayed by the web store, a request for automatically completing the user checkout at the web store is the user operation computing device. The method of claim 6, further comprising receiving by the at least one computer. Receiving confirmation information from the web store by the at least one computer regarding transactions being conducted by the user;
Transmitting the received confirmation information regarding the transaction being performed by the user to the user operation computing device by the at least one computer;
The method of claim 1 further comprising: A computer-implemented method for automatically processing electronic payments from a user to a recipient using a graphical payment identifier, comprising:
Generating at least one computer a disposable graphical payment identifier displayed by the payment processing entity;
Encoding a request for payment information by the payment processing entity into the disposable graphical payment identifier by the at least one computer;
In response to a registered user-operated computing device capturing the disposable graphical payment identifier displayed by the payment processing entity, without the user manually entering the requested payment information And the requested payment information to the payment processing entity so that the electronic payment from the user to the recipient is automatically performed without the user providing a physical credit card. Transmitting by at least one computer;
Having a method. Receiving a request for a graphical payment identifier from the payment processing entity by the at least one computer;
Transmitting the generated graphical payment identifier to the payment processing entity by the at least one computer;
The method of claim 11, further comprising: The step of encoding the request for payment information into the disposable graphical payment identifier comprises:
The method of claim 11, further comprising encoding, by the at least one computer, specific payment information IDs requested by the payment processing entity.   In response to the user-operated computing device capturing the disposable graphical payment identifier displayed by the payment processing entity, a request to automatically process the electronic payment is sent from the user-operated computing device to the at least The method of claim 11, further comprising receiving by one computer. Receiving by the at least one computer information from the payment processing entity about a transaction being performed by the user;
Transmitting the received information regarding the transaction being performed by the user to the at least one computer to the user operation computing device;
The method of claim 11, further comprising: A computer-implemented method for automatically processing electronic payments from a paying user operating a first mobile device to a paying user operating a second mobile device using a graphical payment identifier, comprising:
Generating at least one computer a disposable graphical payment identifier displayed by the first mobile device;
Encoding, by the at least one computer, an offer to make a payment from the paying user to the payee user in the disposable graphical payment identifier;
In response to the second mobile device capturing the disposable graphical payment identifier displayed by the first mobile device, the payment user does not provide a physical credit card and the payee user A request to automatically process the electronic payment such that the electronic payment from the paying user to the paying user is automatically performed without requiring acceptance of a credit card payment; Sending to the payment processing entity;
Having a method. Receiving a request for a graphical payment identifier from the first mobile device by the at least one computer;
Transmitting the generated graphical payment identifier to the first mobile device by the at least one computer;
The method of claim 16 further comprising:   In response to the second mobile device capturing the disposable graphical payment identifier displayed by the first mobile device, a request is received from the second mobile device to automatically process the electronic payment. The method of claim 16, further comprising receiving by at least one computer. Sending the request to the payment processing entity to automatically process the electronic payment comprises:
17. The method of claim 16, further comprising transmitting actual payment information for both the payment user and the payment recipient user to the payment processing entity by the at least one computer.   Responsive to receiving confirmation from the payment processing entity by the at least one computer that the payment has been processed, a confirmation that the payment has been processed is the first mobile device and the second mobile The method of claim 16, further comprising transmitting to both devices.