MX2008005472A - Systems and methods for user interface access control - Google Patents

Systems and methods for user interface access control

Info

Publication number
MX2008005472A
MX2008005472A MX/A/2008/005472A MX2008005472A MX2008005472A MX 2008005472 A MX2008005472 A MX 2008005472A MX 2008005472 A MX2008005472 A MX 2008005472A MX 2008005472 A MX2008005472 A MX 2008005472A
Authority
MX
Mexico
Prior art keywords
network
access
based application
information
call
Prior art date
Application number
MX/A/2008/005472A
Other languages
Spanish (es)
Inventor
Pierre Babi Rene
Mathias Silbernagel Mark
Original Assignee
Aurora Financial Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Aurora Financial Systems Inc filed Critical Aurora Financial Systems Inc
Publication of MX2008005472A publication Critical patent/MX2008005472A/en

Links

Abstract

Enabling and disabling login access to a web-based application by examining automatic number identification (ANI) information from a received telephone call, associating the ANI information with a user account, determining a current state of login access to a web-based application for the user account, the state of login access being one of enabled and disabled, and notifying the web- based application to change the state of login access to the other of enabled and disabled depending on the then-current state of login access . The methodology may further include examining dialed number identification service (DNIS) information of the received call to determine which of the enabling or disabling actions to take, and/or to determine which of a plurality of accounts is to be effected by the desired change in state of login access.

Description

SYSTEMS AND METHODS FOR CONTROL OF USER INTERFACE ACCESS DESCRIPTION OF THE INVENTION The ent invention relates to controlling access to network-based applications. More specifically, the ent invention relates to systems and methods for controlling access to network-based applications using out-of-band signaling, and, in particular, telephone networks. As the Internet and the World Wide Web become more and more ubiquitous, people increasingly transact business electronically and remotely. Although the convenience of availability of network-based applications is evident (for example, online banking, online shopping, online voting, etc.), there are also risks associated with increasing trust in such applications. For example, there is a greater degree of anonymity along with using the Internet. Although a user can identify himself, without listening to his voice, or seeing him in person, one can never assure that the person at the other end of the electronic communication is isely who he claims to be. One way to solve this problem has been to require people to use unique user names and passwords that only the authorized user is supposed to know.
However, this is not a fail-safe methodology because it can be quite simple to learn (or "hack") someone's supposedly secret credentials. Global network applications ("network-based applications") often control access by requiring users to enter information (eg, username and password) on a login screen. But, as noted in the above, access to the network-based application could easily be obtained by an unauthorized user who has simply obtained access to one's username and password. Therefore, there is a need to improve security in fields of network-based applications, as well as others. Modes of the ent invention can reduce the likelihood of fraudulent or unauthorized use of a network-based application, typically through an Internet browser, by providing the owner, user or account holder with positive control to enable or disable the processing of your network login credentials - effectively "turning off" the application by means of "out-of-band" signaling - such as through a novel use of telephony. Modes of the invention provide an effective implementation of out-of-band signaling to control access making it more difficult to compromise application access even if the credentials themselves, the user ID, passwords or other personally identifiable information are otherwise available to authenticate and successfully access the application. Although the ent invention is described primarily in the context of accessing a network-based application, those skilled in the art will apiate that virtually any electronically controlled access mechanisms can also make use of the methodology and system described herein. According to a possible embodiment, a method is provided for controlling access to a network-based application that includes receiving a telephone call in an access system, analyzing the call establishment information associated with the telephone call, determining from call establishment information if there is a desire by a user to grant or deny future access to the network-based application, and communicate, from the access system, the desire to grant or deny access to the application based on network, and after that grant or deny access to the network-based application. In one aspect of the invention, the call setup information comprises automatic number identification (ANI), which can be used to identify and associate a user account of the network-based application. In another aspect of the invention, the call set-up information further comprises the information of the dialed number identification service (DNIS), which may include predetermined encoding to indicate the desire to grant or deny access to the application based on net. The DNIS information may also include an indication of an account selected from a plurality of accounts belonging to a given user. In still another aspect of the invention, the user or the caller can be instructed to enter a password, for example, through the telephone keypad (ie, DTMF), to add yet another authentication layer to the general system. The telephone call may be initiated from a wired telephone, or a mobile device, such as a mobile telephone. Among the possible network-based applications with which the present invention can be applied are electronic mail, online banking, online bill payment, online commerce, application for online document presentation, or an insurance application that allows only the selected access to a predetermined group of people According to a possible implementation, the access system is operated by the same entity as the network-based application, although the access system could also be operated by a third party. After a user successfully changes the status of login access when using his telephone, embodiments of the present invention can confirm the current status of access to the network-based application by providing an interactive voice response (IVR) to the user. . Other confirmation methods may include sending an email, short message, or an instant message to the user. These and other features of the embodiments of the present invention and their intended advantages will be more fully appreciated upon reading the following detailed description together with the following drawings. BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 shows a topology according to an embodiment of the present invention. Figure 2 shows a sequence diagram representing exemplary steps according to one embodiment of the present invention. Figure 3 represents another topology similar to Figure 1 according to one embodiment of the present invention. Figure 4 shows a flow diagram representing the various exemplary steps according to one embodiment of the present invention. Modalities of the present invention can change the conventional paradigm of network-based applications "always online", with restrictions for the approval of authorization of session initiation, in an alternative paradigm in which the access to the application itself can be "turned off" or 'go on' to form reversible by the consumer, at will by the use of telephony methods. Beyond the use as a means of "higher level" to toggle an access to an application, the methodology of the invention could easily be extended to use to alternate access to features or functions within a given application. Nomenclature As used within this document, the term "login" is used as an abbreviation and generalization; however, the term "login" will be construed to comprise various means for presenting and processing user credentials for the purpose of gaining access to a network-enabled or network-based application, such as user IDs, account numbers, passwords, certificates and PIN. The term "call setup information" may comprise data elements typically passed from the Public Switched Telephone Network (PSTN) to the called party service equipment during that portion of the call immediately before the call party. call answered - also referred to as "call setup" or "greeting". The term "advanced telephony" may comprise the use of a sequence of keystrokes (digital tone, or telephone keypad) that recaptures the number of keys that must be pressed to achieve an intended function. It is similar to the concept of "fast dialing". In embodiments of the present invention, a user can make use of this concept by the prior arrangement with a telephony carrier to abbreviate the required activity of a consumer as much as possible and therefore increase ease of use and simplicity for the client. Significance A component of some embodiments of the present invention is "switching" - which is the meaning of "off" session initiation processing for a given client. "Switching" can be implemented in multiple places. In some applications, the 'best' case in terms of utility and effectiveness is to place 'switching' in the most central place. An example may be within the processing infrastructure of the existing network enabled application. Alternatively, if the application or environment makes use of a more complex access control mechanism, perhaps distributed, the switching can be done in a 'central' location in order to have a global effect regardless of the 'geography' or technology of the applications. distributed themselves. More specifically, the present invention may have particular utility with respect to the emerging "simple registration" (SSO) standards. SSO is a specialized form of software authentication that allows a user to authenticate once and gain access to the resources of multiple software systems. Ease of use In some embodiments of the present invention, the means provided to enable and disable the preferred login processing is: • Easy to use • Simple in concept • Quick when applied • Reversible by the consumer with similar effort • Economical • Capable of being 'disarmed' in an emergency, given proper authentication - possibly through the use of a customer service operator. • Strongly integrated between the login process and the public telephone networks. Modalities of the present invention preferably provide a largely simplified method and system that allow the client to achieve his goal of easily turning on or off access to the application (eg, his login). With reference to the Figures, a user 100 uses his cell phone 110 (or mobile device) or wired telephone 112 to make a call to the access system 120. The access system 120, in turn, communicates with the network-enabled or network-based application 130 (or, as shown in Figure 2, "the session initiation authorization system"), which is responsible to control the access to the given application based on network, as will be explained more in the following. As shown in the sequence diagram of Figure 2, the user 100 makes a call in step 210, which in the case of a mobile call, is served by the cellular provider 150. In step 215, the automatic number identification (ANI) information and the dialed number identification service (DNIS) information may be captured or detected, as is well known in the art.
This information (or at least the ANI information) is passed to the ac system 120 as shown. The ac system 120, in turn, identifies an account belonging to a given user based on the ANI and sends an enable or disable (or on / off) message to the session initiation authorization system 130, for the account appropriate, in step 220. Optionally, ac system 120, with the identification of an account, sends an audible message back to user 100 in steps 216, 217 which instructs the user to enter a password or personal identification number (PIN) ) to the telephone, which, in steps 218, 219, are passed back to the ac system 120. This additional password / PIN step converts the basic methodology described herein into two-factor authentication, where the user "has" something, particularly an associated telephone and ANI, and "knows" something, in this case a password or PIN. A password or PIN could also be sent along with the originally marked number, thus avoiding the indication and answering steps. In any case, after the password or PIN is confirmed by the ac system 120, step 220 of the enabling / disabling message may be performed. In a possible implementation, the session initiation authorization system 130 knows the reception of the enable / disable message in step 230, which can then activate the ac system 120 to dispatch an appropriate confirmation message again to the user 100 in the form of, for example, a busy signal (step 240) or an electronic message (email, IM, SMS message) (step 245). The user 100 actually receives the response in step 250. Figure 3 shows how the cellular system or provider 150 and the wired telephone 112 are connected at the end to the public switched telephone network (PSTN) 175. The ac system or controller 120 it is connected in the same way to the PSTN 175 by, for example, an ISDN service of primary proportion. Such connectivity methods are well known in the art. Another possibility of possible connection (not expressly shown) is through signaling system seven (SS7), which, as is well known, also supports ANI and DNIS servi Figure 4 represents the result of a session initiation / authentication request according to an embodiment of the invention. As shown, when someone tries to log on to the network-based application in step 410, and the login ac has previously been disabled, then the request to log in is denied in step 420. If on the other hand , the login ac has never been disabled, or was recently rehabilitated from being disabled, then the login pro is allowed to proceed as shown in step 430. In this way, a user of an application based on The network can control ac to that application through an "out-of-band" link, particularly the telephone system. In the embodiments of the present invention, an advantage is simplicity for the customer. To achieve this, it is preferable to employ strongly coupled integration between the telephony system (call set-up information, dialing techniques) and the network-based application (account or login ID, authentication). Traditionally, telephones are used when calling first a 'number', where a telephone system answers the call, requesting that the customer listen to the indications in voice, and respond through the use of the telephone keypad, where the DTMF (digital tones) they are transmitted as keys that are pressed and the numbers are transmitted as instructions such as "Press 1 to turn on, press 2 to turn off". This is often called interactive voice response (IVR). As will be appreciated from the foregoing, and as will be more fully described in the following, embodiments of the present invention seek to avoid this complexity and confusion associated with these traditional systems.
In some modalities, the use of 'quick dial' or an abbreviated sequence of keystrokes to initiate a call in the access system can be used. For example, some modalities may employ the use of a 'personalized' sequence from the cellular provider (or telephone), such as * 11 to turn ON and * 22 to turn OFF, or 111 to turn ON and 222 to turn OFF, etc. This information can be retrieved from the DNIS information captured at the beginning of the call. In alternative modes, a custom sequence, such as can be used as a PRE-fixed, attaches a reference number that indicates which of the login account numbers of possibly multiple login accounts associated with the telephone number of which flame is turning on or off. For example, * 113 can turn ON the third login entry in a list maintained by the login / accounts client. Exact numbers that are less important than keeping the sequence short and simple, through the use of mnemonic combinations can be useful. And, again, a password or PIN can be incorporated into such originally marked numbers. Using the call set-up information for this task you can achieve several things, including: Direct the cellular or telephone system provider to route the call to the access system using the 'shortcut' or predetermined sequence of dialed numbers; Determine the client's attempt to turn ON or TURN OFF the login using the called number (sequence), specifically through the use of the DNIS as passed during the establishment of the call; Identify which login is being addressed by the user through the use of the telephone number of the originator of the call, specifically through the use of ANI as passed during call establishment; and Making use of advanced telephone techniques to communicate this information to the access system without additional effort from the client, and specifically, to transmit the call establishment information available, making use of the ISDN (better case) in the control of access to capture the diverse information, which includes: DNIS (the number that is marked 'FOR' (* 11, * 22, 111, 222, etc.), to determine if the client wants to "TURN ON" or "TURN OFF". ANI (number DE, to determine who is calling), which uniquely identifies the client for the access system, and consists of the calling party's telephone number, transmitted by the telephone system (carrier) in the form of an ANI. ANI is preferably, for example, for the ID OF WHICH CALL, since it is possible to exploit various means to manipulate or block the caller's ID while ANI is a component handled by the carrier. In this way, the information required to achieve the customer's request can be obtained before the first bell. Through the telephone answer (e.g., ISDN) given in the response to the call establishment request, a signal may be issued to indicate which call has achieved a state change for the login. A busy signal (see step 240 of Figure 2) can be allowed, for example, while a continuous timbre or other signal (reset) may indicate that the task was not completed successfully. The use of busy or replacement signage could be chosen to communicate the status and reduce the possibility of confusion, as much as possible and permissible. Alternatively, to communicate more clearly the results of the 'call' to change the status, inform the customer and confirm the new status of the login, an "instant message" (IM) (or other form of electronic message, as shown) in Figure 2) could be sent indicating the current status of the login (now). For example, the call can be answered and a short message 'reproduced' to indicate the new state of login. Still another alternative, mentioned previously, is that of sending an email to indicate the current status of the session start (new). Some modalities may provide an alternative, audibly distinctive response when the call set-up information is processed so that the IM (or other confirmation vehicle) is necessary. It should be appreciated by those skilled in the art that the use of a personalized dial sequence may require the cooperation of the telephone / cellular system provider. Alternatively, preprogrammed dialing can be used. Customized sequences have the benefit of simplicity for unsophisticated users. Referring again to Figure 2, the user 100 uses, for example, the cellular telephone 110 to send a message solely prepared for the cellular provider / partner 150, whose partner 150 initiates a call, during the start of the call, the message establishment (stage 215) is transmitted to the Access System 120, which interprets the calling telephone number (ANI) as either an account number or a means to consult a current session start in a table previously constructed for that purpose and which (optionally) interprets the caller's dialed number (DNIS) as an indication that the client wants enabled or disabled login. The user can then be indicated by a password or PIN. Then, the Access System 120 forwards a message in a standard communication method and protocol (such as HTTPS-http secure / encrypted) using a standard message technique (XML / SOAP) for the Authorization System 130, for inquiry and subsequent responses (step 230) again in Access System 120, which indicates the result of message processing. System 120 of Access that employs a 'channel' response for the user of a standard network response such as a busy signal (step 240), or alternatively an out-of-band response using, for example, Instant Messaging (IM, step 245), at which point the cellular provider 150 forwards the message (from steps 240, 245) to the customer's telephone 110 for the reception by the client 100, in step 250. Exemplary Applications and Modes of the Invention A non-limiting, exemplary practical application for the present invention is to provide the ability for a user to turn OFF the ability to log on to the email account of the user's Internet (for example, JoeSmith@Yahoo.com). In accordance with the principles of the present invention, the user 100 dials a predetermined number reaching the access system 120 and causes access to the e-mail account to be OFF (or ON). As a result, even if an unauthorized user furtively gets the user's name and the user's correct password for login purposes, the login request will be denied (assuming the access has been turned OFF), as shown in Figure 4. Other non-limiting examples where the present invention may be of particular utility include online banking activities, online payment applications, network-based order screens, secure sites for vendors to observe RFP / RFQ / RFI documents and respond safely, etc. These types of websites (or Internet sites generally, that is, not limited to the global network) will have in common the need for the average user to produce credentials to gain access to an Internet-based service. Modalities of the present invention, through a new use of telephony, enable or disable (ON or OFF) the ability of these credentials to access the account, thus adding yet another level of security to these sites. In addition to network-based applications, the present invention has utility for controlling access mechanisms. For example, the methods and systems described in the present invention could be used to enable an access card just before the card is used to pass through a door or hallway. The access control of the present invention could also be used to toggle domestic or commercial alarms. It is also contemplated that one can use the system to control access in a vehicle by alternating a "bypass" switch remotely. This could be achieved by having the vehicle configured to have a cellular or other RF receiver. This functionality could also be coordinated with services such as OnStar ™. The above description of the preferred embodiments of the present invention has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise forms described. Many variations and modifications of the embodiments described herein will be apparent to one of ordinary skill in the art in view of the foregoing description. The scope of the invention will be defined only by the claims appended thereto, and by their equivalents. In addition, to describe representative embodiments of the present invention, the specification could have presented the method and / or process of the present invention as a particular sequence of steps. However, to the extent that the method or process is not based on the particular order of steps set forth herein, the method or process should not be limited to the particular sequence of steps described. As someone of ordinary skill in the art can appreciate, other sequence of steps may be possible. Therefore, the particular order of the stages established in the specification should not be construed as limitations on the claims. Furthermore, the claims directed to the method and / or process of the present invention should not be limited to the performance of its steps in the written order, and one skilled in the art can easily appreciate that the sequences can be varied and even remain within the spirit. and scope of the present invention.

Claims (42)

  1. CLAIMS 1. A method for controlling access to a network-based application, characterized in that it comprises: receiving a telephone call in an access system; analyze call establishment information associated with the telephone call; determine from call establishment information if there is a desire by a user to grant or deny future access to the network-based application; and communicate, from the access system, the desire to grant or deny access to the network-based application, and then grant or deny access to the network-based application.
  2. 2. The method according to claim 1, characterized in that the call set-up information comprises automatic number identification (ANI).
  3. The method according to claim 2, further characterized in that it comprises correlating the ANI information with the user account associated with the network-based application.
  4. 4. The method according to claim 1, characterized in that the call setup information comprises dialing number identification service (DNIS).
  5. 5. The method of compliance with the claim 4, characterized in that the DNIS information includes predetermined coding to indicate the desire to grant or deny access to the network-based application.
  6. 6. The method of compliance with the claim 5, characterized in that the DNIS information includes an indication of an account selected from among a plurality of accounts associated with a given user.
  7. 7. The method of compliance with the claim 1, further characterized in that it comprises receiving a password or PIN during the telephone call.
  8. The method according to claim 1, characterized in that the network-based application is an email application.
  9. 9. The method according to claim 1, characterized in that the network-based application is an online banking activity application.
  10. 10. The method according to claim 1, characterized in that the network-based application is an online payment application.
  11. The method according to claim 1, characterized in that the network-based application is a commercial online application.
  12. The method according to claim 1, characterized in that the network-based application is one of a document presentation request and insurance request that allows the only selected access to a predetermined group of people.
  13. 13. The method according to the claim 1, characterized in that the access system is operated by the same entity as the network-based application.
  14. The method according to claim 1, further characterized in that it comprises confirming a current state of access to the network-based application by operating an interactive voice response (IVR) system to which the user has access when making the telephone call. .
  15. The method according to claim 1, further characterized in that it comprises confirming a current state of access to the network-based application by sending one of an email, short message and instant message to the user associated with the call setup information. .
  16. 16. The method according to claim 1, characterized in that the telephone call is initiated from a wired telephone.
  17. The method according to claim 1, characterized in that the telephone call is initiated from a mobile device.
  18. 18. The method according to claim 17, characterized in that the telephone call is initiated from a mobile telephone.
  19. The method according to claim 1, further characterized in that it comprises receiving a request for session initiation by the network-based application and one of granting and denying the login based on the user's desire to grant or deny access future as previously detected.
  20. 20. A method for controlling access to a feature of a network-based application from a system without a network base, characterized in that it comprises: capturing the automatic number identification (ANI) and the dialed number information service (DNIS) of a phone call made in an access system; identify a user's account based on information from ANI; receive a password or PIN associated with the account; determine from the DNIS information whether future access is granted or denied to at least one feature of the network-based application; notify the network-based application with a notification message, from the access system, of granting and denying future access to at least one feature of the network-based application; receive a confirmation, in the access system, of the network-based application of the receipt of the notification message; and send a response message from the access system to the user indicative of the confirmation.
  21. 21. The method according to claim 20, characterized in that the network-based application is an email application.
  22. 22. The method according to claim 20, characterized in that the network-based application is an online banking activity application.
  23. 23. The method according to claim 20, characterized in that the network-based application is an online account payment application.
  24. 24. The method of compliance with the claim 20, characterized in that the network-based application is an online commerce application.
  25. 25. The method according to claim 20, characterized in that the network-based application is a request to present the document.
  26. 26. The method according to claim 20, characterized in that the network-based application is an insurance request that allows only selected access for a predetermined group of people.
  27. 27. The method according to claim 20, characterized in that at least one feature of the network-based application is a session initiation process.
  28. 28. The method according to claim 20, characterized in that the access system is operated by the same entity as the network-based application.
  29. 29. The method according to claim 20, characterized in that the response message is distributed using an interactive voice response system (IVR) to which the user obtains access when making the telephone call.
  30. 30. The method according to claim 20, characterized in that the response message is distributed by e-mail.
  31. 31. The method of compliance with the claim 20, characterized in that the response message is distributed by a short text message.
  32. 32. The method according to claim 20, characterized in that the response message is distributed by means of an instant message.
  33. 33. The method according to claim 20, characterized in that the telephone call is initiated from a wired telephone.
  34. 34. The method according to claim 20, characterized in that the telephone call is initiated from a mobile device.
  35. 35. The method of compliance with the claim 34, characterized in that the telephone call is initiated from a mobile telephone.
  36. 36. A method for enabling and disabling access to a system, characterized in that it comprises: examining the automatic number identification (ANI) information of a received telephone call; associate ANI information with a user account; determine a current state of login access for a system for the user account, the status of login access is one of enabled and disabled; and notify the system to change the status of the login access to the other one of enabled and disabled depending on the current state of the login access.
  37. 37. The method according to the claim 36, further characterized in that it comprises receiving a request to log on to the system and deny logon when the state of login access for the system is disabled.
  38. 38. The method according to claim 36, further characterized in that it comprises examining the information of the dialed number identification service (DNIS) of the received call.
  39. 39. The method according to claim 36, characterized in that the telephone call is initiated from a wired telephone.
  40. 40. The method according to claim 36, characterized in that the telephone call is initiated from a mobile telephone.
  41. 41. The method according to the claim 36, characterized in that the system is a network-based application.
  42. 42. The method according to claim 36, characterized in that the system comprises a mechanical device.
MX/A/2008/005472A 2005-10-27 2008-04-25 Systems and methods for user interface access control MX2008005472A (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US60/730,382 2005-10-27

Publications (1)

Publication Number Publication Date
MX2008005472A true MX2008005472A (en) 2008-09-26

Family

ID=

Similar Documents

Publication Publication Date Title
US7797734B2 (en) Systems and methods for user interface control
US8347364B2 (en) Systems and methods for user interface control
FI115355B (en) Arrangement for the authentication and authentication of a secure system user
US7190948B2 (en) Authentication mechanism for telephony devices
US8515038B2 (en) Method and apparatus for controlling calling-party identification
US8416933B2 (en) Trusted environment for communication between parties
US7486779B2 (en) Origin device based callee identification
US20070171898A1 (en) System and method for establishing universal real time protocol bridging
US20090025075A1 (en) On-demand authentication of call session party information during a telephone call
US8135000B2 (en) Methods and systems for selecting a buddy from a buddy list and for placing call to a buddy
US8340270B2 (en) Identification of multiple persons on a phone call
JP2006295673A (en) Call system, proxy dial server device, proxy dial method used therefor, and program thereof
US20030108159A1 (en) Destination device based callee identification
WO2001050682A1 (en) Communication using virtual telephone numbers
JP4739679B2 (en) Reception system, reception auxiliary server, and reception processing server
US20150121455A1 (en) Methods and Systems for Selectively Obtaining End User Authentication Before Delivering Communications
EP2341689B1 (en) Method and system for enhanced conference call security
GB2471612A (en) Authenticated voice or video calls for preventing phishing
TW200814703A (en) Method and system of authenticating the identity of the client
KR101071023B1 (en) Apparatus and Method for User Certification using Mobile Phone
MX2008005472A (en) Systems and methods for user interface access control
CN112600983A (en) Method and apparatus for redirecting communication requests
JP2002229952A (en) User authentication system and user authentication method
JP2009017212A (en) Telephone number authentication registering apparatus
EP1146712A1 (en) Authentication in telecommunication system