EP3559881A1 - Sicheres anmeldungs- oder transaktionsverfahren - Google Patents
Sicheres anmeldungs- oder transaktionsverfahrenInfo
- Publication number
- EP3559881A1 EP3559881A1 EP17832471.1A EP17832471A EP3559881A1 EP 3559881 A1 EP3559881 A1 EP 3559881A1 EP 17832471 A EP17832471 A EP 17832471A EP 3559881 A1 EP3559881 A1 EP 3559881A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- given user
- user
- mobile communication
- authorization
- communication device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
- G06Q20/40145—Biometric identity checks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
Definitions
- the present disclosure relates to systems for facilitating a secure log-in or transaction procedure. Moreover, the present disclosure concerns methods of facilitating a secure log-in or transaction procedure. Furthermore, the present disclosure also relates to computer program products comprising a non-transitory computer-readable storage medium having computer- readable instructions stored thereon, the computer-readable instructions being executable by a computerized device comprising processing hardware to execute the aforementioned methods.
- sensitive information of a given debit/credit card includes a card number, a username, a term of validity and a verification number of that debit/credit card.
- a malicious party can easily make financial transactions using this sensitive information of the given debit/credit card on the Internet.
- a PIN code associated with the given debit/credit card is usually needed only at Point-Of-Sale (POS) terminals, namely when shopping in retail stores.
- POS Point-Of-Sale
- strong customer authentication via the PIN code is needed very rarely in online Internet-based transactions, namely only when a financial transaction is charged from a debit account.
- a financial institution offers to its customers a software application (namely, an "App") for mobile authorization, wherein the App is to be downloaded and installed at the customers' mobile communication devices.
- App software application
- a given customer is required to open the App on his/her mobile communication device manually, so as to initiate an authorization process using the App.
- This technique is not just user- unfriendly, but also drains a battery of the given customer's mobile communication device, as the given customer's mobile communication device has to be kept active for a long duration.
- the present disclosure seeks to provide an improved system for facilitating a secure log-in or transaction procedure that is highly robust and relatively easy for users to employ, for example, when implementing financial transactions or other types of transactions.
- the present disclosure seeks to provide an improved method of facilitating a secure log-in or transaction procedure.
- embodiments of the present disclosure provide a method of facilitating a secure log-in procedure or a secure transaction procedure, to enable a given user or a person under custody of the given user to log-in to or perform a transaction with a service securely, wherein the service is provided by a server arrangement that is coupled via a data communication network to at least one mobile communication device of the given user, characterized in that the method includes:
- Embodiments of the present disclosure are of advantage in that the aforementioned method facilitates a quick, robust and uncomplicated approach for performing strongly-secured customer authorization.
- embodiments of the present disclosure provide a system for facilitating a secure log-in procedure or a secure transaction procedure, to enable a given user or a person under custody of the given user to log-in to or perform a transaction with a service securely, wherein the system includes a server arrangement providing the service, the server arrangement being coupled via a data communication network to at least one mobile communication device of the given user, characterized in that the server arrangement is operable to:
- embodiments of the present disclosure provide a computer program product comprising a non-transitory computer-readable storage medium having computer-readable instructions stored thereon, the computer-readable instructions being executable by a computerized device comprising processing hardware to execute a method of the aforementioned first aspect.
- FIG. 1 is a schematic illustration of a network environment wherein a system for facilitating a secure log-in procedure or a secure transaction procedure is implemented pursuant to embodiments of the present disclosure
- FIG.2 is a sequence diagram depicting an example implementation of a method of facilitating a secure log-in procedure or a secure transaction procedure, in accordance with an embodiment of the present disclosure
- FIGs. 3A and 3B are process flows of example implementations of the aforementioned method for enabling a given user (or a person under custody of the given user) to log-in to or perform a transaction with a service, respectively, pursuant to embodiments of the present disclosure;
- FIGs.4A-D are schematic illustrations of example views of user interfaces presented to a given user or a person under custody of the given user at various steps of the example implementation of the aforementioned method.
- FIGs.5A-B is a collection of exemplary views of screenshots of an authorization-request message at the user's mobile communication devices, in accordance with an embodiment of the present disclosure.
- an underlined number is employed to represent an item over which the underlined number is positioned or an item to which the underlined number is adjacent.
- the non-underlined number is used to identify a general item at which the arrow is pointing.
- embodiments of the present disclosure provide a method of facilitating a secure log-in procedure or a secure transaction procedure, to enable a given user or a person under custody of the given user to log-in to or perform a transaction with a service securely, wherein the service is provided by a server arrangement that is coupled via a data communication network to at least one mobile communication device of the given user, characterized in that the method includes:
- the user interface can be presented to the given user or said person via a web browser or a software application running on the user device. It will be further appreciated that the user interface can be presented at any device other than the given user's mobile communication device, for example such as a personal computer or a smartwatch.
- the method includes sending, to the user device, a notification to be presented to the given user or said person for instructing the given user or said person to wait until the authorization via the at least one mobile communication device of the given user has been verified successfully.
- the sending of this notification is performed substantially simultaneously with the sending of the aforementioned authorization- request message at (ii).
- the method includes configuring the user device to inform the given user or said person to wait, without a need for the notification to be received from the server arrangement.
- the user device is optionally configured to inform the given user or said person on its own, as the user device knows that the authorization is required to be verified.
- the given user or said person is not required to be informed at all, as the given user or said person already knows that he/she has to wait until the authorization is verified successfully.
- the real-time push signalling is beneficial for sending the authorization-request message at (ii), because such push signalling activates (namely, awakens) the at least one mobile communication device of the given user or the application therein, and displays the authorization-request message to the given user even when a display screen of the at least one mobile communication device is locked.
- a push notification service provided by an ecosystem of the at least one mobile communication device is required to be enabled on the at least one mobile communication device.
- push notification services include, but are not limited to, Apple ® Push Notification service (APNs), Google ® Cloud Messaging (GCM), and Windows ® Notification Service (WNS).
- such push signalling activates (namely, awakens) a trusted software application (namely, the aforesaid application) on the at least one mobile communication device, wherein the trusted software application is previously provided to the at least one mobile communication device by the server arrangement.
- a trusted software application namely, the aforesaid application
- the trusted software application is previously provided to the at least one mobile communication device by the server arrangement.
- contemporary known techniques are based on pull technology, and require an end user to open a software application (namely, App) manually on his/her mobile communication device, prior to initiating an authorization process.
- App a software application
- Such contemporary known techniques are not only inconvenient to the end user, but also drain a battery of the end user's mobile communication device for a longer time, as compared to the method pursuant to embodiments of the present disclosure.
- the aforementioned push signalling is implemented by way of a trusted software application that is executing in the background at the at least one mobile communication device, wherein the trusted software application is operable to receive a push signal from the server arrangement to awaken the at least one mobile communication device, and to present the authorization-request message at the at least one mobile communication device in real time or near real time.
- a service provider can generate at the at least one mobile communication device an event, for example, such as an image or a link, acting as a request for the user to confirm .
- the at least one mobile communication device of the given user includes a plurality of mobile communication devices of the given user that are registered with the server arrangement.
- the authorization- request message is sent to each of the plurality of mobile communication devices of the given user at (ii).
- the method when the response message is received from any one of the plurality of mobile communication devices at (iii), the method includes sending, to rest of the plurality of mobile communication devices, an instruction to ignore t e authorization-request message that was previously sent at (ii).
- the method includes keeping a track of which mobile communication device has been used to perform the authorization.
- the method includes maintaining a log of a given mobile communication device that was used to perform the authorization and its associated timestamp.
- the method includes blocking a given mobile communication device of the given user from which an unauthorized party has made an attempt to perform the authorization, so as to avoid any further abuse.
- the method includes providing a trusted software application (for example, an "App") to the at least one mobile communication device, wherein the trusted software application is then installed at the at least one mobile communication device. More optionally, the trusted software application is provided to the at least one mobile communication device in an encrypted form.
- a trusted software application for example, an "App”
- the trusted software application is provided to the at least one mobile communication device in an encrypted form.
- the trusted software application is operable to compare the personal identification code and/or the at least one bio- credential provided by the given user with a previously-registered personal identification code and/or at least one bio-credential of the given user, namely a personal identification code and/or at least one bio-credential of the given user previously registered with the trusted software application.
- the comparison is performed by the ecosystem of the at least one mobile communication device.
- the trusted software application is then operable to determine whether or not the authorization has been verified successfully, based upon the comparison.
- the trusted software application is operable to employ at least one key that is stored in a key store of the at least one mobile communication device to encrypt the response message.
- the trusted software application is operable to employ a certificate that is stored in the key store of the at least one mobile communication device to sign digitally the response message.
- the response message may be any one of:
- the given user authorizes the trusted software application to sign digitally the content of the response message using his/her own private key (for example, for a Public Key Infrastructure (PKI) equivalent usage).
- PKI Public Key Infrastructure
- the content of the response message is the same as the content of the authorization-request message.
- the server arrangement is operable to verify that the content of the response message that is delivered back is unchanged from the content of the authorization-request message that was previously sent at (ii). It will be appreciated that when the response message is received in encrypted form, the method includes decrypting the response message.
- the response message is received from the at least one mobile communication device, via secured transportation.
- secured transportation can be implemented, for example, via HyperText Transport Protocol Secure (HTTPS) protocol or Secure Sockets Layer (SSL).
- HTTPS HyperText Transport Protocol Secure
- SSL Secure Sockets Layer
- the method includes providing the at least one mobile communication device with the key store including keys and/or certificates to be used for encryption and/or decryption purposes and/or signing purposes, respectively.
- the key store may, for example, be provided by the server arrangement or a trusted third party.
- the usage of the key store is protected in operation, such that the contents of the key store are accessible to the trusted software application only.
- the usage of the key store is protected in operation by a kernel layer of the at least one mobile communication device.
- the kernel layer of the at least one mobile communication device is implemented as a mixture of hardware and software, and is proprietary to the at least one mobile communication device, for example is proprietary to a manufacturer of the at least one mobile communication device.
- a protected key store is optionally provided by using other security methods, for example by employing heavy data encryption, or by employing a combination of heavy data encryption following by data obfuscation for securing data, and an inverse of such heavy encryption when recovering data. Obfuscation is optionally achieved by inverting and/or swapping specific bits of data bytes.
- the aforementioned trusted software application is operable to interface with other software applications executing in other software layers hosted, in operation, in the at least one mobile communication device.
- various data exchanges occur between the trusted software application executing in the kernel layer and the other software applications executing in the software layers.
- the aforementioned trusted software application is protected by security provisions of the kernel layer that are typically more secure than the software layers.
- the trusted software application is executed in a secure area of processing hardware of the at least one mobile communication device. More optionally, the secure area of the processing hardware is implemented by way of Trusted Execution Environment (TEE; see reference [1]).
- TEE Trusted Execution Environment
- the method includes aborting the secure log-in procedure or the secure transaction procedure, if no response message is received from the at least one mobile communication device of the given user within a predefined time period.
- the predefined time period optionally is in a range of a few seconds to tens of seconds. In other examples, the predefined time period is optionally longer, and is optionally in a range of tens of seconds to a few minutes. In such cases, an additional feature is optionally provided in the authorization-request message that enables the given user to decline the authorization request, for example, when the given user no longer wants to make the financial transaction.
- the personal identification code is a Personal Identification Number (PIN) code.
- PIN Personal Identification Number
- the personal identification code can alternatively be a code that includes alphanumeric characters and/or special characters that can be entered using a keypad of the at least one mobile communication device.
- the at least one bio-credential of the given user includes at least one of: a fingerprint of the given user, facial features of the given user, iris recognition of the given user, DNA genetic information of the given user.
- a fingerprint or a facial image of the given user can be captured via an image sensor of the at least one mobile communication device of the given user.
- the given user's bio- credential may alternatively correspond to any other type of biometrical verification feasible in future, for example by employing a bio-sensor to provide a DNA analysis of the user's sweat or sputum.
- the bio-credential can include for example a walking manner of the given user, a writing manner of the given user or a heartbeat pattern of the given user, depending on the feasibility in the service area in question. It will be appreciated that it does not matter what kind of verification method is used for embodiments of the present disclosure, as it is typically the at least one mobile communication device that defines such an operation.
- Examples of the user device and the at least one mobile communication device include, but are not limited to, mobile phones, smart telephones, smartwatches, Mobile Internet Devices (MIDs), tablet computers, Ultra- Mobile Personal Computers (UMPCs), phablet computers, Personal Digital Assistants (PDAs), web pads, Personal Computers (PCs), handheld PCs, laptop computers, desktop computers, and large-sized touch screens with embedded PCs.
- Some specific examples of such devices include, but are not limited to, iPhone ® , iPad ® , Android ® phone, Android ® web pad, Windows ® phone, and Windows ® web pad.
- the data communication network can be a collection of individual networks, interconnected with each other and functioning as a single large network.
- Such individual networks may be wired, wireless, or a combination thereof.
- Examples of such individual networks include, but are not limited to, Local Area Networks (LANs), Wide Area Networks (WANs), Metropolitan Area Networks (MANs), Wireless LANs (WLANs), Wireless WANs (WWANs), Wireless MANs (WMANs), the Internet, second generation (2G) telecommunication networks, third generation (3G) telecommunication networks, fourth generation (4G) telecommunication networks, fifth generation (5G) telecommunication networks, community networks, satellite networks, vehicular networks, sensor networks, and Worldwide Interoperability for Microwave Access (WiMAX) networks.
- LANs Local Area Networks
- WANs Wide Area Networks
- MANs Metropolitan Area Networks
- WLANs Wireless WANs
- WMANs Wireless MANs
- the Internet second generation (2G) telecommunication networks
- third generation (3G) telecommunication networks fourth
- the aforementioned method is suitable to be implemented for various purposes, for example, such as making financial transactions, logging-in to a secure service, casting a vote and other services that require a strong customer authorization.
- the transaction pertains to at least one of: a financial payment, digital signing.
- the service is implemented as a payment service using which the given user or said person makes the financial payment.
- digital signing the service is implemented as a digital signature service using which the given user or said person signs, for example, a given electronic document digitally.
- said person may be a child, an elder person, or any other person who is under custody of the given user.
- the aforementioned method can be implemented for parental guidance, for example, when a parent (namely, the given user) wishes to administer a payment made by his/her minor-aged child or to administer his/her child's attempt to access an entertainment service (for example, an online game site or similar).
- the aforementioned method can be implemented for monitoring elderly people; notably, it is often desired to control their usage of funds, when they become incapable of understanding the impact of their actions and the value of money.
- the aforementioned method may be implemented not only when said person wants to log-in to a web service (for example, such as an online gaming service, an online video-streaming service and the like), but also when said person wants to access certain sections of the web service.
- a web service for example, such as an online gaming service, an online video-streaming service and the like
- some sections of the web service may be accessible to said person (for example, a minor- aged child), while other sections of the web service may not be freely accessible to said person.
- said person would require similar authorization verifications when accessing these other sections of the web service.
- the server arrangement is implemented to provide a background service that is configured to perform the aforementioned steps (i) to (iv), wherein the background service is separate from the aforementioned service.
- the background service is provided by a background service provider that is different from the service provider providing the service. In other implementations, the background service is provided by the service provider itself.
- Step 1 a payment service provided by a service provider is linked to a background service provided by a background service provider.
- a payment service provided by a service provider is linked to a background service provided by a background service provider.
- Step 1 the method is performed in multiple steps, for example, as follows: Step 1 :
- a log-in page (namely, for logging-in to the payment service and/or to make a financial transaction using the payment service) is presented to a given user or a person under custody of the given user.
- the given user or said person provides his/her user details (for example, such as his/her username, e-mail address, phone number, account number, social security number and similar), if his/her user details are not already cached in the web browser.
- the user device sends, to the service provider, the user details along with a request to initiate a secure session to access the payment service.
- the background service provider listens to the session request incoming at the service provider.
- the service provider sends, to the user device, a notification to wait until authorization via a user's registered mobile communication device has been verified successfully.
- the user device informs the given user or said person to wait, without a need for the notification to be received from the service provider.
- the user device optionally informs the given user or said person on its own, as the user device knows that the authorization is required to be verified.
- the background service provider sends, to the user's registered mobile communication device (or devices), an authorization-request message using real-time push signalling.
- the user's registered mobile communication device or an application therein awakens, and presents the authorization-request message to the given user.
- the steps 2 and 3 are performed substantially simultaneously.
- the given user provides his/her personal identification code and/or his/her bio-credential at the user's registered mobile communication device.
- a trusted software application of the user's registered mobile communication device then sends, to the background service provider, a response message indicating whether or not the authorization has been verified successfully.
- Step 5 The background service provider routes the response message to the service provider.
- the log-in page at the user device redirects to a protected site, thereby allowing the given user or said person to access the payment service provided by the service provider. Otherwise, the log-in page is redirected to a page showing log-in failure or timeout.
- embodiments of the present disclosure provide a system for facilitating a secure log-in procedure or a secure transaction procedure, to enable a given user or a person under custody of the given user to log-in to or perform a transaction with a service securely, wherein the system includes a server arrangement providing the service, the server arrangement being coupled via a data communication network to at least one mobile communication device of the given user, characterized in that the server arrangement is operable to:
- the server arrangement is operable to send, to the user device, a notification to be presented to the given user or said person for instructing the given user or said person to wait until the authorization via the at least one mobile communication device of the given user has been verified successfully.
- a push notification service provided by an ecosystem of the at least one mobile communication device is required to be enabled on the at least one mobile communication device.
- push notification services include, but are not limited to, Apple ® Push Notification service (APNs), Google ® Cloud Messaging (GCM), and Windows ® Notification Service (WNS).
- the aforementioned push signalling is implemented by way of a trusted software application (namely, the aforementioned application) that is executing in the background at the at least one mobile communication device, wherein the trusted software application is operable to receive a push signal from the server arrangement to awaken the at least one mobile communication device, and to present the authorization-request message at the at least one mobile communication device in real time or near real time.
- a trusted software application namely, the aforementioned application
- the at least one mobile communication device of the given user includes a plurality of mobile communication devices of the given user that are registered with the server arrangement.
- the server arrangement is operable to send the authorization-request message to each of the plurality of mobile communication devices of the given user at (ii).
- the server arrangement when the response message is received from any one of the plurality of mobile communication devices at (iii), the server arrangement is operable to send, to rest of the plurality of mobile communication devices, an instruction to ignore the authorization-request message that was previously sent at (ii).
- the server arrangement is operable to keep a track of which mobile communication device has been used to perform the authorization.
- the server arrangement is operable to maintain a log of a given mobile communication device that was used to perform the authorization and its associated timestamp.
- the system includes a database arrangement coupled in communication with the server arrangement.
- the log is to be maintained at the database arrangement.
- server arrangement and the database arrangement are implemented by way of cloud computing services.
- the server arrangement is operable to provide a trusted software application (for example, an "App") to the at least one mobile communication device, wherein the trusted software application is then installed at the at least one mobile communication device. More optionally, the server arrangement is operable to provide the trusted software application to the at least one mobile communication device in encrypted form.
- a trusted software application for example, an "App”
- the server arrangement is operable to provide the trusted software application to the at least one mobile communication device in encrypted form.
- the trusted software application is operable to compare the personal identification code and/or the at least one bio-credential provided by the given user with a previously-registered personal identification code and/or at least one bio-credential of the given user.
- the comparison is performed by the ecosystem of the at least one mobile communication device.
- the trusted software application is then operable to determine whether or not the authorization has been verified successfully, based upon the comparison.
- the trusted software application is operable to employ at least one key that is stored in a key store of the at least one mobile communication device to encrypt the response message.
- the trusted software application is operable to employ a certificate that is stored in the key store of the at least one mobile communication device to digitally sign the response message.
- the server arrangement is operable to provide the at least one mobile communication device with the key store including keys and/or certificates to be used for encryption and/or decryption purposes and/or signing purposes, respectively.
- the key store is provided by a trusted third party.
- the usage of the key store is protected in operation, such that the contents of the key store are accessible to the trusted software application only.
- the usage of the key store is protected in operation by a kernel layer of the at least one mobile communication device.
- the trusted software application is executed in a secure area of processing hardware of the at least one mobile communication device. More optionally, the secure area of the processing hardware is implemented by way of TEE (see reference [1]).
- the server arrangement is operable to abort the secure log-in procedure, if no response message is received from the at least one mobile communication device of the given user within a predefined time period.
- the at least one bio-credential of the given user includes at least one of: a fingerprint of the given user, facial features of the given user, iris recognition of the given user, DNA genetic information of the given user.
- the server arrangement is implemented to provide a background service that is configured to perform the aforesaid (i) to (iv), wherein the background service is separate from the aforementioned service.
- the background service is provided by a background service provider that is different from a service provider providing the service.
- the background service is provided by the service provider itself.
- the transaction pertains to at least one of: a financial payment, digital signing.
- the service could be a payment service using which the given user or said person makes the financial payment.
- the service could be a digital signature service using which the given user or said person signs, for example, a given electronic document digitally.
- embodiments of the present disclosure provide a computer program product comprising a non-transitory computer-readable storage medium having computer-readable instructions stored thereon, the computer-readable instructions being executable by a computerized device comprising processing hardware to execute a method of the aforementioned first aspect.
- the computer-readable instructions are downloadable from a software application store, for example, from an "App store” to the computerized device.
- FIG. 1 is a schematic illustration of a network environment 100 wherein a system for facilitating a secure log-in procedure or a secure transaction procedure is implemented pursuant to embodiments of the present disclosure.
- the system includes a server arrangement 102 providing a service and a database arrangement 104 associated with the server arrangement 102.
- the server arrangement 102 is coupled in communication with a user device 106 of a given user or a person under custody of the given user and with at least one mobile communication device of the given user, depicted as a mobile communication device 108 in FIG. 1 , via a data communication network 110.
- the server arrangement 102 is operable to perform operations, for example, as described with respect to the aforementioned second aspect. These operations include:
- FIG. 1 is merely an example, which should not unduly limit the scope of the claims herein. It is to be understood that the specific designation for the network environment 100 is provided as an example and is not to be construed as limiting the network environment 100 to specific numbers, types, or arrangements of server arrangements, database arrangements, user devices, mobile communication devices, and data communication networks. A person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.
- FIG.2 there is provided a sequence diagram depicting an example implementation of a method of facilitating a secure log-in procedure or a secure transaction procedure, in accordance with an embodiment of the present disclosure.
- the method enables a given user or a person under custody of the given user to log-in to or perform a transaction with a service securely.
- the given user or said person provides his/her user details (for example, such as his/her username, e-mail address, phone number or similar) on a user interface presented at a user device of the given user or said person.
- the user details are received at a server arrangement providing the aforesaid service.
- the server arrangement optionally sends a notification to the user device to inform the given user or said person to wait until authorization via a user's registered mobile communication device has been verified successfully.
- the user device informs the given user or said person to wait, without a need for the notification to be received from the server arrangement.
- the user device optionally informs the given user or said person on its own, as the user device knows that the authorization is required to be verified.
- the given user or said person is not required to be informed at all, as the given user or said person already knows that he/she has to wait until the authorization is verified successfully.
- t e server arrangement sends an authorization-request message to the user's registered mobile communication device (or devices)using real-time push signalling.
- the steps 2.2 and 2.3 are performed substantially simultaneously.
- the given user provides his/her personal identification code and/or at least one bio-credential at the user's registered mobile communication device.
- a response message is sent from the user's registered mobile communication device to the server arrangement.
- a step 2.4 upon successful verification of the authorization, the given user or said person is allowed to log-in to or perform the transaction with the service from the user device.
- FIG. 3A is a process flow of an example implementation of the aforementioned method for enabling a given user (or a person under custody of the given user) to log-in to a service, in accordance with an embodiment of the present disclosure.
- the service is a web service (for example, such as an online gaming service, an online video-streaming service, online payment service and the like) provided by a service provider.
- the service is linked to a background service provided by a background service provider.
- the method is performed in multiple steps as follows:
- Step 1 In a user interface, for example a web browser, of a user device, a log-in page (namely, for logging-in to the service) is presented to the given user or said person.
- the given user or said person On the log-in page, the given user or said person provides his/her user details (for example, such as his/her username, user ID, e-mail address, phone number, account number, social security number and similar), if his/her user details are not already cached in the web browser.
- his/her user details for example, such as his/her username, user ID, e-mail address, phone number, account number, social security number and similar
- the user device sends, to the service provider, the user details along with a request to initiate a secure session to access the service.
- the service provider sends the user details to the background service provider, which then listens to the session request incoming at the service provider.
- the background service provider sends, to the user's registered mobile communication device (or devices), an authorization-request message using real-time push signalling.
- the user's registered mobile communication device or an application therein awakens, and presents the authorization-request message to the given user.
- the given user verifies the authorization by providing his/her personal identification code and/or his/her bio-credential at the user's registered mobile communication device.
- a trusted software application of the user's registered mobile communication device then sends, to the background service provider, a response message indicating whether or not the authorization has been verified successfully.
- Step 4 The background service provider routes the response message to the service provider.
- Step 5 Upon successful verification of the authorization, the log-in page at the user device redirects to a protected site, thereby allowing the given user or said person to access the service provided by the service provider. Otherwise, the log-in page is redirected to a page showing log-in failure or timeout.
- the web service for example, such as an online gaming service, an online video-streaming service and the like
- some sections of the web service may be accessible to said person (for example, a child), while other sections of the web service may not be freely accessible to said person.
- said person might require further authorization verifications when accessing certain sections of the web service.
- Such authorization verifications may be performed in a manner that is similar to the aforementioned process flow elucidated in conjunction with FIG.3A.
- FIG. 3B is a process flow of an example implementation of the aforementioned method for enabling the given user (or said person) to perform a transaction with the service, in accordance with an embodiment of the present disclosure.
- the service is implemented as an online payment service using which the given user or said person perform a financial payment transaction.
- the method is performed in multiple steps as follows:
- Step 1
- a transaction page (namely, for performing the transaction with the service) is presented to the given user or said person.
- the given user or said person provides his/her user details, if his/her user details are not already cached.
- the user device sends, to the service provider, the user details along with a request to initiate a secure session to perform the transaction.
- the service provider sends the user details to the background service provider, which then listens to the session request incoming at the service provider.
- the background service provider sends, to the user's registered mobile communication device (or devices), an authorization-request message using real-time push signalling.
- the user's registered mobile communication device or an application therein awakens, and presents the authorization-request message to the given user.
- the given user verifies the authorization by providing his/her personal identification code and/or his/her bio-credential at the user's registered mobile communication device.
- a trusted software application of the user's registered mobile communication device then sends, to the background service provider, a response message indicating whether or not the authorization has been verified successfully.
- Step 4 The background service provider routes the response message to the service provider.
- the given user or said person Upon successful verification of the authorization, the given user or said person is allowed to perform the transaction with the service. Otherwise, the transaction page is redirected to a page showing transaction failure or timeout.
- FIGs. 3A and 3B are merely examples, which should not unduly limit the scope of the claims herein. A person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.
- FIGs. 4A, 4B, 4C and 4D are schematic illustrations of example views of user interfaces presented to the given user or the person under custody of the given user at the steps 2.1, 2.2, 2.3 and 2.4 of FIG. 2, respectively.
- the exemplary service in the mentioned figures is a communication and conferencing service provided by Gurulogic Microsystem Oy's proprietary product " Starwindow ® ”) .
- FIG. 4A is a schematic illustration of a first example view of a first user interface that is presented at the user device of the given user or said person, wherein the given user or said person enters his username bob@exanwle. com at a Starwindow ® log- in page presented in the first example view.
- FIG. 4B is a schematic illustration of a second example view of the first user interface that is presented at the user device of the given user or said person, wherein the given user or said person is informed to wait until biometric verification is performed.
- FIG. 4C is a schematic illustration of an example view of a second user interface that is presented at the mobile communication device of the given user, wherein the authorization-request message is presented to the given user.
- the given user is requested to perform a biometric verification by way of presenting a fingerprint of the given user to an image sensor of the mobile communication device, within a predefined time period of three minutes.
- a contact field denoted by "X" in the example view, is provided in case the given user changes his/her mind and no longer wants to log-in to the service.
- FIG. 4D is a schematic illustration of a third example view of the first user interface that is presented at the user device of the given user or said person, wherein the given user or said person is allowed to log-in to the Starwindow ® service, upon successful verification of the authorization, and a confirmation screen is presented to the given user or said person.
- FIGs. 4A-D are merely examples, which should not unduly limit the scope of the claims herein.
- a person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.
- FIGs. 5A and 5B there are shown examples of authorization-request messages that are presented to the given user via user interfaces provided, in operation, on different mobile communication devices of the given user, for example such as a smart phone, a smart watch, smart electronically-enabled clothing or similar, when logging-in to or performing a transaction with a service pursuant to embodiments of the present disclosure.
- an e-mail address detail is provided, together with an amount of time remaining for the given user to respond by sending a confirmation via the user interface.
- biometric verification for example via fingerprint credentials.
- an e-mail address detail is provided, together with a sum of money to be paid, and buttons for enabling the given user either to confirm via the user interface a payment of the sum of money or to decline such payment.
- FIGs. 5A and 5B are merely examples, which should not unduly limit the scope of the claims herein. A person skilled in the art will recognize many variations, alternatives, and modifications of embodiments of the present disclosure.
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Accounting & Taxation (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Strategic Management (AREA)
- General Business, Economics & Management (AREA)
- Finance (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Telephonic Communication Services (AREA)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1621795.2A GB2557975A (en) | 2016-12-21 | 2016-12-21 | Secure log-in procedure |
PCT/EP2017/025367 WO2018114053A1 (en) | 2016-12-21 | 2017-12-21 | Secure log-in or transaction procedure |
Publications (1)
Publication Number | Publication Date |
---|---|
EP3559881A1 true EP3559881A1 (de) | 2019-10-30 |
Family
ID=58284464
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP17832471.1A Pending EP3559881A1 (de) | 2016-12-21 | 2017-12-21 | Sicheres anmeldungs- oder transaktionsverfahren |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP3559881A1 (de) |
GB (1) | GB2557975A (de) |
WO (1) | WO2018114053A1 (de) |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8930438B2 (en) * | 2009-06-17 | 2015-01-06 | Apple Inc. | Push-based location update |
US8954555B2 (en) * | 2011-10-27 | 2015-02-10 | International Business Machines Corporation | Using push notifications to reduce open browser connections |
US20140007213A1 (en) * | 2012-06-29 | 2014-01-02 | Wepay, Inc. | Systems and methods for push notification based application authentication and authorization |
US10380591B2 (en) * | 2013-03-14 | 2019-08-13 | Nuance Communications, Inc. | Pro-active identity verification for authentication of transaction initiated via non-voice channel |
US20140359069A1 (en) * | 2013-06-04 | 2014-12-04 | Diego MATUTE | Method for securely sharing a url |
US9912648B2 (en) * | 2014-07-15 | 2018-03-06 | Square, Inc. | Two-factor authentication with push notification for a security code |
EP3180751B1 (de) * | 2014-08-15 | 2021-12-01 | Capital One Financial Corporation | System und verfahren zur digitalen authentifizierung |
-
2016
- 2016-12-21 GB GB1621795.2A patent/GB2557975A/en not_active Withdrawn
-
2017
- 2017-12-21 WO PCT/EP2017/025367 patent/WO2018114053A1/en active Search and Examination
- 2017-12-21 EP EP17832471.1A patent/EP3559881A1/de active Pending
Also Published As
Publication number | Publication date |
---|---|
GB201621795D0 (en) | 2017-02-01 |
WO2018114053A1 (en) | 2018-06-28 |
GB2557975A (en) | 2018-07-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11956243B2 (en) | Unified identity verification | |
US11405380B2 (en) | Systems and methods for using imaging to authenticate online users | |
CA2945703C (en) | Systems, apparatus and methods for improved authentication | |
US11108558B2 (en) | Authentication and fraud prevention architecture | |
EP3138265B1 (de) | Verbesserte sicherheit zur registrierung von authentifizierungsvorrichtungen | |
US20180150832A1 (en) | System, process and device for e-commerce transactions | |
US9642005B2 (en) | Secure authentication of a user using a mobile device | |
EP3207515B1 (de) | Sichere authentifizierung einer person in abhängigkeit von kontext | |
US20150261948A1 (en) | Two-factor authentication methods and systems | |
US10489565B2 (en) | Compromise alert and reissuance | |
EP2701415A1 (de) | Mobile elektronische Vorrichtung und ihre Verwendung für elektronische Transaktionen | |
US20140149294A1 (en) | Method and system for providing secure end-to-end authentication and authorization of electronic transactions | |
EP3183701B1 (de) | Client, computerplattform und verfahren zur durchführung von sicheren transaktionen | |
US20170213220A1 (en) | Securing transactions on an insecure network | |
CN102906776A (zh) | 一种用于用户和服务提供商之间双向认证的方法 | |
EP3616111B1 (de) | System und verfahren zur generierung von zugangsdaten | |
WO2015004677A1 (en) | A computer implemented system and method for performing cashless transactions | |
US20160117682A1 (en) | Secure seamless payments | |
US20160125410A1 (en) | System and Method for Detecting and Preventing Social Engineering-Type Attacks Against Users | |
US20220294778A1 (en) | Devices and methods to validating multiple different factor categories | |
EP3559881A1 (de) | Sicheres anmeldungs- oder transaktionsverfahren | |
Parte et al. | Study and implementation of multi-criterion authentication approach to secure mobile payment system | |
CN117242470A (zh) | 通过启用加密的智能卡进行多因素认证 | |
WO2018093258A1 (en) | A method, apparatus and computer program product for providing access to a digital service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: UNKNOWN |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20190717 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
DAV | Request for validation of the european patent (deleted) | ||
DAX | Request for extension of the european patent (deleted) | ||
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20210519 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |