MXPA00007816A - Method, arrangement and apparatus for authentication through a communications network - Google Patents

Abstract

A method, arrangement and apparatus for providing an authentication to an application provided through a communications network. A connection is established between the application and a user interface through said communications network so as to enable an access of a user to the application. An authentication is provided to said application by means of a mobile station communicating through a mobile communications network.

Description

METHOD, SETTLEMENT AND APPARATUS FOR AUTHENTICATION THROUGH A COMMUNICATIONS NETWORK _ _ 7 FIELD OF THE INVENTION The present invention relates to a method for providing an authentication to an application. The invention also relates to an arrangement for providing an authentication to an application and also to an apparatus to be used for authentication. BACKGROUND OF THE INVENTION There are several electronic applications which involve the need for authentication. An authentication may be required, for example, when a user is having access to a specific application and / or when a user already uses an application and the need arises to verify the user or receive a confirmation of this type from the user that allows the user to application continue processing. Examples of applications that may require authentication include various commercial services obtained through communication networks, such as Internet, Intranet or Local Area Networks (LAN), payments and banking services accessed through of communication networks, access to resources, remote programming, reprogramming or programmatic updating, etc. Even some free services obtained through communication networks may require authentication. The number of services or applications that require at least some degree of authentication of the user who tries to access them (or of the user who is already using them but when there is a need to review the authorization during the use of the service or the need of confirming something during use) has increased greatly during the last years. A further increase in the need for authentication in the future is contemplated. Today there are already some well-known solutions for communication authentication. These solutions usually employ various cryptographic techniques between two computing devices that communicate. According to a basic scenario for authentication, a random challenge to encoding functions of said two computing devices is provided. Both computers have a secret key, that is, a coding key that is also provided to the coding function in both computers. After, the results of the calculations of the two coding functions that compare and if the result of the comparison is positive, it is considered that the authentication is valid. If the comparison provides a negative result, then the authentication test is considered failed. There are also several existing authentication fixes.

U.S. Patent Nos. 5,668,876 and WO 95/19593 disclose some prior art methods for authenticating through the use of a radio location system technology. The following examples of the prior art arrangements are provided with a brief description of some of their drawbacks. Keywords. Currently the use of a keyword or several keywords is the most frequently used approach to authentication. The keyword is provided to the remote application through a user interface, for example, through a computer terminal connected to a communication network. However, this solution does not take into account the vulnerability of the network, since the keyword is exposed to anyone who has access to the network (and who has sufficient ability to read the keywords). A secret. This can be described as an electronic keyword or signature or coding key stored and used, for example, by the user interface. Even when the secret is not revealed to the network, it may end up in "undesirable hands" and could be used by a party other than the parties who were the intended original users of the secret. A programmatic authentication in the user interface. It is a more sophisticated approach to authentication. The keyword is provided to a program in the user interface, which authentically then automatically accesses the requested application in a cryptographic manner. Even though this provides a more secure fix than the previous solution, it leaves a chance to take the keywords from the user interface. It is also possible to modify the programmatic without notifying the real user. Smart cards with associated readers. A smart card can communicate encoded challenge-response messages, but does not contain a user interface to receive authorization from the user himself. Such an interface may exist in smart card readers, but some readers must be well protected against potential misuse and consequently regular users (ie, the vast majority of users, ie the public) can not have usually physical access to these reader interfaces but they have to trust the. organization that smart cards offer. In addition, smart card readers can not be shared between organizations that do not trust each other. Smart cards with a user interface. They already exist but they are expensive since each security processor must have its own secure user interface. They are rare and their entry / exit capacity is still extremely low, and therefore can not be considered as an economically adequate solution to the problem of authentication. A separate personal authentication device. In this approach, the user is employed as "a means of communication" between the user interface and a separate authentication device. The user interface provides a challenge which the user captures in an authentication device that fits in the hand (pocket calculator type device). The authentication device can, for example, offer a number as a response, and the user then captures this number in the user interface. In this method, the problems are related to the need to acquire, use and carry a separate device. In some cases there is also the possibility of an incorrect capture of usually long and complex series of characters. This already mentions some parts that may be involved when the current authentication systems are increased. They are briefly explained in more detail below. The user is usually a human being who uses several applications or services. The user can be identified through a keyword (or secret) known only to him / her (a public key method), or through a secret shared between the user and the application (a secret key method) . The application is the part that wants to ensure the authenticity of the user. The application can also sometimes be called service. From the perspective of the application, the question of authenticity can be divided into four different categories (questions): 1) is the user currently at the other extreme? (known as professional entity authentication), 2) are additional messages received from the same user? (integrity of the message stream), 3) does a specific message originate from a certain user? (authentication of source data), and 4) is the message such that even a third party can believe that it originates from a certain user (not repudiation). The user interface is the device or arrangement that allows the user to access the application or service. In most cases it can also be known as a terminal, and can consist of devices such as computers (for example, personal computer, PC), workstations, work terminals, mobile stations such as mobile phones or radios or radiolocators , ATMs for money and / or banking machines, etc. The user interface provides input / output facilities and can possibly provide up to a part of the application. The Personal Authentication Device (PAD) is a piece of equipment that the user carries with him. The PAD may have some basic input / output functionality and even certain processing possibilities. The aforementioned smart cards and separate authentication devices can also be considered as PADs. In most cases, the user can rely on his PAD, since the user has it (almost) always with him and therefore under continuous control. All possible keywords or secrets are hidden in the computer in such a way that there is no easy way to spread them. The device itself is not easy to modify in such a way that the communication path between the user and the security processor could be endangered. In addition, the PADs usually have a minimum amount of stored state and the programs thereof are not easily modifiable. COMPENDIUM OF THE INVENTION Although the prior art solutions described above for authentication already exist, limitations, in addition to those already mentioned above, continue to arise in the area of authentication. If access to the application is completely secure, or as secure as possible, the application easily becomes extremely complex from its architecture, and it also becomes complicated and requires more time to access and use it. The increased level of security increases the amount of equipment and programmatic that are required, which causes an increased need for maintenance and updating, and therefore the total cost of authentication can become high. The complexity and costs can be reduced by decreasing the level of security, but this leads to an insufficient level of security in communications. In addition, it was believed that an "absolutely safe" condition does not even exist in communications networks, since technical development makes it possible for hackers to solve even the most complicated security arrangements. A human problem lies in the fact that the key words or secrets can become quite complicated and / or too long, or that they can become too numerous. This can make it difficult for users to remember them. Typically, a secret considered safe in the method of the secret key has 128 bits and in the method of the public key it has 1024 bits. For most people it is impossible to remember this type of key. In addition, users can not perform the calculations required for authentication without external devices. As explained above, basic authentication is often carried out using the challenge and response method. This requires the user (that is, a human being) to code something with their secret. This is not considered possible in practice. In addition to the possibility of taking the keyword or secret during its transmission in an open communication network as discussed above, current solutions do not pay enough attention to the vulnerability of user interfaces. The terminal devices have been developed in such a way that they are replete with complex technology and programming in such a way that most users can no longer fully control the terminals, or understand their operation. In addition, it frequently happens that many users share the same terminal device (for example, a personal computer used in a common way) and / or that external maintenance personnel have access to the computers of a closed organization per se. Computer terminals contain status and programs stored in the memory device, which can be modified. In modern computers, it is possible to modify its programmatic even when the user does not realize this, and even through the communication paths without any physical access to the device itself. To give an example of two risks it is possible to modify a program in a computer terminal in such a way that it modifies the data that the user sends, for example, to a bank, in such a way that the computer modifies all the bank transfers on a given day to another account that was designated by the user. This modification or reprogramming without notice may cause significant damage when used against ordinary individual users, and especially when used against organizations such as companies or public administration. This means that you can not rely on ordinary terminal devices or communication paths. Accordingly, it is an object of the present invention to overcome the disadvantages of prior art solutions and to offer a new type of solution for authentication. An object is also to provide a method and arrangement through which a user who wishes to have access to an application can be authenticated in a more secure manner than was possible in the prior art. An object is also to provide authentication when the need for authentication arises during the use of an application to which one already has access. An object of the present invention is also to provide a method and arrangement through which a mobile station can be employed in authentication. A further object of the present invention is to provide a solution in which an authentication module of a mobile station can be used in authentication. Other objects and advantages of the present invention will be presented in the following part of the specification in combination with the accompanying drawings. The objects are achieved through a new method to provide an authentication to an application provided through a communications network. According to the present invention, a connection between the application and a user interface through the communication network is established in such a way as to allow a user access to the application provided through the communication network. In addition, a connection is established between the application and a mobile station through a second communication network. An authentication for the application is provided by means of a communication from the mobile station to the application through the second communication network. According to a further embodiment, the authentication method comprises the step of establishing a connection between an application and a user interface through a communication network in order to allow a user access to the application provided through the network of communications. The authentication for the application is provided through a mobile station in such a way that a secret of a Subscription Identification Module \ 1 (SIM) of the mobile station is employed in authentication coding operations. The invention further provides an arrangement for providing authentication to an application provided by an application provider through a communications network. The arrangement comprises a user interface and a first connection between the application and the user interface through the communication network in order to allow the use of the application. The array further comprises a mobile station and a second connection between the application and the mobile station through a second communication network in order to allow authentication. The arrangement further comprises a device for authenticating the user for the application of the second communication network. In accordance with an alternative modality, the invention provides a mobile station to offer an authentication to an application provided through a communication network, where it is. has access to the application through a user interface connected to the communication network, and said mobile station uses a communications network different from the user interface for the communications, and the mobile station is used to authenticate the use of said application to which you have access through the user interface.

Various advantages are obtained through the present invention, since the solution introduces a new reliable form of authentication. The authentication method and arrangement of the present invention is easily implemented in existing communications networks without excessive alterations or additional devices. The array can be used in connection with several different applications, in practice in connection with any application provided through a communication system that requires some type of authentication.

The user no longer has to load a separate authentication device (PAD) or many different authentication devices. The user can also rely on the personal authentication device (PAD) in accordance with the present invention, since the mobile station is usually always with it, and users tend to take care of their mobile stations. In addition, for example in the case of theft of a mobile station, the operator can easily cancel the mobile subscription and / or the SIM. All the secrets of a mobile station are hidden in the equipment in such a way that it is not easy to find them. Furthermore, the mobile station device itself is not easily modifiable in such a way that the communication path between the user and the security processors is compromised.

The system includes a minimum amount of stored state and the programs are not easily modified. The existing SIM of a mobile station, and more precisely its secret, can be used for the required coding procedures. Thus the SIM can be used as a security card for new purposes, and there is already a party that will control the use of SIM, that is, the mobile network operator that can immediately cancel a SIM if fraud is suspected. Next, the present invention and other objects and advantages thereof will be described by way of examples with reference to the accompanying drawings, in which like reference numerals in the various figures refer to similar characteristics. It will be understood that the following description of the invention does not intend to restrict the invention to the specific rules presented in relation to this aspect, but that the present invention has the purpose of encompassing all the modifications, similarities and alternatives included in the spirit and scope of the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS Figure 1 shows an overview of a possible arrangement of communication networks where it is possible to implement the present invention; Figure 2 is a schematic presentation of an embodiment for authenticating a user in accordance with the present invention; Figure 3 schematically discloses a possible mobile station and an embodiment of the present invention; Figures 4 and 5 disclose flow charts in accordance with two embodiments of the present invention; Figure 6 discloses an alternative embodiment for authentication in accordance with the present invention; and Figure 7 is a schematic presentation that refers to a further embodiment of the present invention. DETAILED DESCRIPTION OF THE DRAWINGS Figure 1 is a schematic representation of a network array that can be employed when implementing the present invention. The arrangement of Figure 1 comprises a Public Switched Telephone Network (PSTN) schematically illustrated as a table indicated by number 20. The exemplary PSTN is a fixed line telephony network (or Old Simple Telephone Service, POTS), which forms a communication network through which a user interface 16 can access an application. According to this embodiment, a user (not illustrated) can use the user terminal 16 connected to the PSTN as a user interface to access the desired service on one of the WWW 45 servers that can be obtained through a connection with Internet. The disclosed terminal 16 is a personal computer (PC), but other types of user interfaces, such as work stations, ATMs, etc., can also be used. A Public Land Mobile Network (PLMN) is also disclosed. It can be, for example, a cellular telephone network or a similar mobile communication system. Two mobile stations MS 1 and MS + PC 2 are also disclosed. MS + PC 2 can be defined as an integrated mobile phone and laptop. Both can communicate through an air interface 3 with PLMN through one of several base stations (BS) 4 of PLMN. A PLNM type is a digital GSM network (GSM; Global System for Mobile Communications), which is specified with greater precision in the GSM recommendations by ETSI (European Telecommunications Standard Institute), the network architecture itself is described in detail in the GSM 01.02 recommendations or GSM 03.02 or the revised versions of it. It will be noted that while the invention is described primarily in the context of an exemplary cellular telephone network using GSM terminology, those skilled in the art will note that the present invention can be increased in any mobile system. Furthermore, it will be noted that for reasons of clarity only the parts of a mobile network structure are illustrated which are considered necessary for the purposes of illustrating the operation of the example system. A person skilled in the art knows that telephony networks can normally also comprise other necessary devices than those illustrated, that some of the disclosed elements of the PLMN or PSTN can be omitted or replaced by other types of elements, and that a large The number of mobile networks and ordinary fixed terrestrial networks can cooperate and exchange between them. The person skilled in the art also understands that the connection to the Internet can also be a direct connection without any PSTN or similar network arrangement between the user terminal 16 and the Internet 43. These alternatives, however, are not illustrated or explained with more details since they are known by experts in the field. The GSM-based public land mobile network (PLMN) typically includes several mobile services switching centers (MSCs) 10. Each of these centers, in turn, is connected to several base station subsystems (BSS) 6 ( only one MSC and BSS is illustrated by reason of clarity). The base station subsystem 6 usually comprises a base station controller BSC and a necessary interface apparatus and is connected to several base stations (BS) 4, each of which monitors a certain geographic area, which is known as a cell (for cells, see figure 7). The mobile services switching center 10 of FIG. 1 is connected or linked to a public switched telephone network (PSTN) 20 through a central unit 12 and lines 11. The MSC 10 is also connected to a global communication network which, in the example, is Internet (indicated by the number 43). The MSC can be connected to a digital integrated services network (ISDN) or to any other type of appropriate communication network. The necessary links between different components of different telecommunication network systems are known per se in the art. The PLMN network also includes a database, which is known as a home location register (HLR) 9 connected to the MSC. The mobile terminals 1 and 2 that are subscribers of the mobile telecommunication network are registered in the HLR 9. Each mobile telephone switching center 10 further includes a local database which is known as visitor location register (VLR) 8, wherein all the mobile stations 1 and 2 that are within the area of one of the cells handled by this local mobile service switching center MSC are registered at any given time. The mobile stations are identified by a SIM (Subscriber Identification Module) usually mounted within each of the mobile stations or physically connected to them in another way. A SIM is a module that includes several information and several user-related segments (subscription). It may also include additional information that refers to the coding of radio communications. The SIM can be assembled in a fixed or removable manner on the mobile station. The use of the SIM as well as the registration HLR and / or VLR of this invention will be discussed in more detail later in this specification. As previously mentioned, the user can be connected to the Internet 43 through a fixed or mobile network or through a direct connection. However, there may be some differences between the connections when, for example, it is GPRS (General Packet Radio System), but the Internet network service is available to users of both PSTN systems and of PLMN system. In the example, the mobile switching center (MSC) 10 as well as the PSTN 20 are provided with an access to the Internet of multiple protocols 43 through access nodes (AN) 14 and 40. even when only one node is presented of access by communication network, it will be understood that in practice the number of access nodes can be substantially greater and that the number of access nodes also increases continuously. According to a solution, a special IAS Internet Access Server capable of converting the signal into data packets is used as an access node to the Internet. Internet users 43 have entered into an agreement with an Internet Service Provider (ISP) 42, which provides the connection of communications to the Internet from user terminals 1, 2 and 16. When the user wishes to have a connection to the Internet, the user communicates with the Internet Service Provider (ISP) 42 to connect his terminal 16 to the desired address (this is known as the Internet protocol address). The call connection is established through PSTN 20 and passes through at least the local exchanges 18, and perhaps one or more transit exchanges connected or interconnected through trunked lines (not illustrated). It will be understood that even when Figure 1 presents only one IPS through which both networks communicate with the Internet, communication could be organized through different ISPs. Figure 1 discloses another WWW server 45 (World Network server) which includes server databases x, y and z that provide different services. A connection is also disclosed from the ISP through the router 44 to said server 45 through the Internet 43. It will be understood that the service can be any service that can be obtained through any communications network, for example, a banking service, an electronic purchase service, etc., where authentication is required. The mobile station 1 (or 2) is used as a personal authentication device (PAD) when the user begins to have access, or has already had access, through the user interface 16 through the PSTN 20, to a service x provided by the WWW server 45. The mobile station 1 communicates with the service x via a separate communication path or channel which is employed by the user interface 16. The mobile station can be trusted since the The user usually saves it with him. The ergonomic and functional requirements for mobile stations and for conventional PADs are essentially the same, and the mobile station has a user interface that is suitable for the PAD. A modern MS has even a security processor interface that is suitable for authentication purposes. There are many alternatives to achieve authentication through the mobile station, and the examples will present these forms in more detail below. Referring now to Figures 2 and 4, of which Figure 2 schematically discloses an arrangement for authentication and Figure 4 is a flow chart for the operation in accordance with a basic embodiment. The user 22 sends a request through the user terminal 16 to have access to a desired application 45, such as a banking service, through a connection established by means of a communications network (arrow 21, in the figure 2; steps 102 and 104 in figure 4). The application 45 may comprise a database 46, or it is connected to a separate database such as HLR 9 of the MSC 10 of Figure 1, from which the application is enabled to retrieve the information from necessary user. Based on this information, the application establishes a connection with the mobile station 1 of the user 22 (arrow 26, step 106) for authentication purposes. In this step, the user can accept the connection 21 made by the user interface 16 by returning a confirmation signal 29 (for example, an acknowledgment) using the mobile station 1 indicating that access is allowed and that the Actual use of the service can begin (steps 108 and 112). In the case where the authentication fails, for example, if the application can not reach the mobile station 1, all connections are closed (step 110). Alternatively, the user may be allowed to recover access, either immediately or after a certain period of time, or the user may be given instructions through the user interface 16 to take some additional measures due to the failed authentication. One way to implement the authentication, or the acknowledgment feature, is to use short messages from a short message system (SMS) of the PLMN. In the GSM system, an SMS from the MSC (SMS Message Service Center) indicated by the number 7 in Figure 1 is provided to supply short messages to the mobile stations and to receive short messages from the mobile stations. Service center 7 sends messages to mobile subscribers using the same network elements that were discussed above and defined by the referred specifications. The SMS message signaling usually contains, for example, the identification of the recipient, information of the sender, time stamp, etc. Figure 3 discloses a solution in which the mobile station MS 1 has received an SMS message. The steps of the method for this are illustrated by the flow chart of Figure 5. According to this mode, the user has requested, after having access to the banking service through the user interface 16 that a sum of 200 FIM be transferred from account number 1234-4567 to an account number 4321-7654 (step 204). The application retrieves the authentication data related to the user from an appropriate data base (step 206), and accordingly sends a text message to the mobile station 1 (step 208). The mobile station 1 displays the text as illustrated, and asks the user to confirm or deny the transaction by pressing the "yes" or "no" keys, respectively (step 210). The response is then transmitted back to the application, and in the case of a "yes" response, the transaction runs its course (step 214), and in the case of a "no" response, other measures are taken. The arrows 27 and 28 of FIG. 2 can also be considered as an illustration of the stage in which the mobile station 1 and the user 2 communicate: the information received seeing the display 31 of the mobile station 1 is indicated by the arrow 27, and the response given by the user to the mobile station 1 is indicated by the arrow 28. As explained, the user can choose his own selection by pressing the Y or N 32 key of the mobile station. If the user accepts, that is to say "signs" the transaction, the banking service follows its course after corresponding manner. In the case in which the user does not confirm the transaction, that is, press the "no" key the application can send a request to the user interface in the sense of providing a correction, a cancellation, a new destination account, etc., (steps 216, 218). If the application does not receive any response within a certain period of time, or if the answer is in some way incorrect, the application can send either a second request for confirmation, or close all connections. The user can process several subsequent transactions and even other banking services after having once accessed the application. When the user finally answers in step 216 to the user interface 16 that he does not wish to continue, the connections are closed (step 220). According to one embodiment of the present invention, the information contained in the HLR and even in the VLR of the PLMN of Figure 1 can be used when implementing the authentication arrangement of the present invention. This is allowed thanks to the fact that each of the mobile subscriptions includes, in the HLR 9 of Figure 1, information that is related to the SIM (Subscriber Identification Module) already mentioned, an IMSI (International Mobile Subscriber Identity). , and an MSISDN (Mobile Subscriber ISDN number), as well as location information (VLR number), basic information of telecommunications service subscribers, service restrictions, and complementary services, etc. Accordingly, Figure 3 can be considered as also disclosing a SIM (Subscriber Identification Module) card 34 inserted inside the mobile station 1. The telephone company usually uses the SIM to control payments and user location. Thus, the SIM card 34 must be connected to the mobile station 1 before using it and making telephone calls. The mobile station 1 of Figure 3 further includes an MS PAD controller 35 (Mobile Station Personal Authentication Device driver). From these, the SIM 34 can be employed in the invention as the means to identify the user and / or include a secret or several secrets, and the MS PAD controller 35 is used to control the authentication operations. In addition to the general control of the authentication procedure, the controller 35 may, for example, be arranged to do all the calculations in relation to the various coding operations. The arrangement in which the SIM 34, which is controlled by the PAD controller of MS 35, can be employed in various authentication procedures. Below are examples of this. Instead of the arrangement mentioned above that uses SMS services, transactions can also be recognized in such a way that the application, such as banking service or another commercial service paid for by electronic transaction, sends the details of the transaction to the PAD of MS 35 as a data signal through the mobile network. The correct character of the signal can be ensured through a revision sum calculated by the PAD of MS 35 in accordance with a predefined algorithm and using the secret of SIM 34: the revision sum has to correspond to the sum disclosed by the user terminal 16. If the user accepts the transaction, recognizes that transaction and authorizes the MS PAD 35 to "sign" the message signal 26 from the application using the user secret (for example, when required of the use of a public key coding and not repudiation) or by using a secret shared with the application. Afterwards, the application will follow its process in accordance with the request through the user interface. According to one embodiment, the secret or secrets of the SIM 34 can also be used for coding the messages and / or signaling between the application and the mobile station. Figure 6 discloses an alternative embodiment for Figure 2. In this embodiment, the user interface 16 is in the form of an ordinary telephone terminal connected to the PSTN 20 in a manner known per se. The PSTN is also connected to intelligent network services (IN) 60, which forms the application in this modality. The mobile station 1 includes a PAD controller 35 and a SIM 34 according to what is described above with reference to figure 3. According to a modality PAD pairs of MS, which contain a predefined pair of a service identifier for the given service and a personal secret, are stored within the PAD controller. These pairs can be used, for example, in the following manner. The user has access to a service in said IN by establishing a telephone call to the service (arrow 21). The application challenges the user with a given number as a voice message, or through a possible deployment in said telephone terminal (arrow 61). The user enters this challenge together with a specific number for the service to the mobile station through the keyboard (arrow 28), after which the PAD controller carries out the necessary calculations in accordance with the predefined algorithm to receive a series additional numbers In this calculation, the secret stored in the SIM for this particular user can be part of the algorithm. This secret can be either a specific secret for the application or a secret of the PLMN. The result of the calculation is then fed to the user interface 16 (arrow 62), and transmitted to the IN service in question via the PSTN 20. In case this corresponds to the expected value, the IN 60 service allows the user to initiate the use thereof through the fixed line terminal 16. The aforementioned mode can be used, for example, when paying telephone calls or services obtained through any ordinary POTS online telephone. For example, this allows an arrangement in which calls by any telephone terminal are charged to the mobile phone subscription, (ie, to the holder of a particular SIM card). Mobile subscribers can find this service useful, for example, in cases where calls made by the mobile phone are more expensive than calls made by an ordinary POTS phone, or when mobile station 1 is not within a area of a mobile network of this type in which the user could have an appropriate radio connection. According to a further embodiment (not illustrated), the mobile station 1 and the user interface 16 can communicate directly with each other through a suitable operational connection, such as a radio connection, an infrared connection, or a conduit connection fixed ~ with necessary couplings. This reduces the risk of capture errors that the user may commit when acting as a "link" between the mobile station 1 and the user interface 16. According to an alternative, a mobile station is arranged to receive more than a SIM card 34. In this way, a single mobile station can be used for different authentication purposes. For example, a user could have three different SIMs: a SIM for the authentications required by their work, a SIM for personal needs, and a SIM for an additional need, for example, for a "director of an association". Each of the SIMs can have a telephone number, an alarm tone, etc., own. According to a further alternative, the mobile station 1 communicates through a PLMN with the application, and the messages and / or signaling required in this communication are encoded using the secret or secrets of the SIM. This allows a secure communication using only one communication network, ie the PLMN, since the secret of the SIM is unique, and it is not possible for third parties to obtain information contained in the signaling or to enter the signaling. A further embodiment of the present invention is explained below with reference to Figures 1 and 7. Figure 7 discloses a schematic map of cells of an arbitrary geographic area that is divided into several contiguous radio coverage areas or cells. While the system of Figure 7 is illustrated to include only 10 cells (Cl to CIO), the number of cells in practice may be higher. A base station is related to each of the cells and is inside each of the cells, these base stations are designated as BS1 to BS10, respectively. The base stations are connected to the base station subsystems (BSS 6 of Figure 1). A cell can also encompass one or more base stations. The cells are grouped into four groups A to D, where each group can include one or more cells, as indicated by the corresponding marks. Each group is observed by the system as a unit, that is, in such a way that four different cell categories A to B are provided. The purpose of this is to illustrate that the cells can be divided into different authentication categories or classes. The idea behind this is that the authentication data within the authentication database may include restrictions that do not allow the user to access the application in the case in which it is not within a certain predefined cell area. For example, if a company uses a mobile station of an employee for authentication, it is possible to limit the area in such a way that the possibility of authentication can be restricted to be allowed only in the cells (for example, within area A) that is find near the company's office. The above can be easily implemented through the visitor location register VLR, designated by the number 8 in figure 1. The mobile station (MS) 1 or 2 moving in the area of the MSC is controlled by the VLR 8 responsible for this area. When MS 1 or 2 appears in the location area, the VLR initiates an update procedure. The VLR 8 also has a database which includes, for example, the IMSI, MSISDN and location area where the mobile station is registered in accordance, for example, with a GSM 09.02 specification. A global cell identification further includes a cell identity, and is included in the messages between the mobile station 1 and the MSC 10. This information can be used as an identification indicator to find the location of the mobile station MS 1 which is used afterwards. in this modality. It will be noted here that the mobile station can be any type of apparatus that provides the possibility of mobile communications for a user, other than the mobile telephone 1 or the integrated unit of the mobile telephone and computer 2. This latter arrangement is sometimes also known as a "co unicador" What is important is that the mobile station can receive and / or transmit the desired information, which in some cases can have the form of text or voice messages only instead of a specific authentication code or signal. Furthermore, in the previous examples, the application 45 is arranged to provide a link between the two communication networks in such a way that both can be used for the connection of the user with the application. However, this can be achieved through another party. For example, the ISP or similar service provider or telecommunication network operator may operate as an authentication organization and / or provide the link between the two communication networks, and provide a secure connection to the current application. Thus, the invention offers an apparatus and method by which a significant improvement in the area of authentication can be achieved. The arrangement in accordance with the present invention is easy and inexpensive to perform by means of components known per se and is reliable in its use. It will be noted that the foregoing examples of the embodiments of the invention are not intended to restrict the scope of the invention defined in the appended claims. All additional embodiments, modifications and applications apparent to those skilled in the art are included within the spirit and scope of the invention presented in the appended claims.

Claims (20)

1. CLAIMS A method to authenticate a user to an application, the application is available to the user through a first communication network, the method comprises: establishing a connection between the application and a user interface through the first communication network with . the object of allowing a user access to the application; establish a connection between the application, which can connect to a database in which a mobile station is registered, and the mobile station through a second communication network; and authenticating the user for the application by means of the mobile station communication with the application through the second communication network.
2. A method according to claim 1, wherein the step of authenticating comprises the use of the mobile station to verify the identity of the user when the user has access to the application through the user interface.
3. A method according to claim 1, wherein the step of authenticating comprises the use of the mobile station to acknowledge receipt of a transaction or procedure that the user has previously requested from the application through the user interface.
4. A method according to claim 1, wherein the step of authenticating comprises the use of the mobile station in such a way that a secret of a Subscription Identification Module (SIM) of the mobile station was employed in authentication encoding operations. .
5. A method according to any of the preceding claims, wherein the mobile station is a cellular telephone and the second communication network comprises a digital cellular network.
6. A method according to any of the preceding claims, and comprising the use of a secret of a Subscription Identification Module (SIM) of the mobile station for the signaling coding associated with the authentication step.
7. A method according to any of the preceding claims, wherein a Subscription Identification Module (SIM) of the mobile station is employed to provide the identity of the user.
8. A method according to claim 7 and comprising the step of charging the cost of the connection from the user interface to the application to the subscriber of the subscription identified by the SIM.
9. A method according to any of the preceding claims, wherein at least part of the signaling between the application and the mobile station is in the form of short message system text messages.
10. A method according to any one of the preceding claims, and comprising the step of employing an area location information of the mobile station as a parameter for the authentication procedure.
11. 11. An arrangement for providing user authentication to an application provided by an application provider through a communication network, comprising: a user interface; a first connection between the application and the user interface through the communications network in order to allow the use of the application; a mobile station; a second connection between the application that can connect to a database to which the mobile station is registered, and the mobile station through a second communication network in order to allow authentication; and a device for authenticating the user to the application through the second communication network.
12. 12. An arrangement according to claim 11, wherein the mobile station is a cellular telephone and the mobile communication network is a digital cellular network. .
13. An arrangement according to claim 11, or according to claim 12, wherein the authentication signaling to the mobile station and from the mobile station takes the form of a text message provided by a short message system (SMS) of the mobile communications network. .
14. An arrangement according to any of claims 11 to 13, wherein the mobile station comprises a personal mobile station authentication device (MS PAD) arranged to control the authentication procedure, and a subscription identification module (SIM) that includes a secret and operationally connected to the MS PAD, where the secret SIM is arranged so that it can be used in the authentication procedure.
15. An arrangement according to any of claims 11 to 14, wherein the application is a banking service, an electronic purchasing service, or some other commercial service that requires an acknowledgment of receipt for an electronic transaction.
16. A mobile station for providing an authentication to an application provided through a communication network, where: the application is accessed through a user interface connected to the communications network; and said mobile station uses a communications network different from the user interface for communications, and the mobile station is used to authenticate the use of said application to which it is accessed through the user interface.
17. 17. A mobile station according to claim 16 and comprising an integrated mobile station personal authentication device (MS PAD) placed to control the authentication procedure.
18. A mobile station according to claim 16 or according to claim 17, wherein the station is a digital mobile telephone and comprises a subscription identification module (SIM) that includes a secret, where the secret of the SIM is arranged to be employed in the authentication procedure.
19. 19. A mobile station according to claim 18 and comprising at least one additional SIM.
20. 20. A mobile station according to claim 16 or according to claim 19 and comprising a device for communicating directly with the user interface as, for example, by an infrared or radio light transceiver capable of communicating with the interface of user.