SE535009C2 - Secure user identification - Google Patents

Secure user identification Download PDF

Info

Publication number
SE535009C2
SE535009C2 SE1050777A SE1050777A SE535009C2 SE 535009 C2 SE535009 C2 SE 535009C2 SE 1050777 A SE1050777 A SE 1050777A SE 1050777 A SE1050777 A SE 1050777A SE 535009 C2 SE535009 C2 SE 535009C2
Authority
SE
Sweden
Prior art keywords
session
mobile terminal
user
local device
data network
Prior art date
Application number
SE1050777A
Other languages
Swedish (sv)
Other versions
SE1050777A1 (en
Inventor
Joel Sandstroem
Original Assignee
Nordic Wallet Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nordic Wallet Ab filed Critical Nordic Wallet Ab
Priority to SE1050777A priority Critical patent/SE535009C2/en
Priority to PCT/SE2011/050686 priority patent/WO2012005653A1/en
Publication of SE1050777A1 publication Critical patent/SE1050777A1/en
Publication of SE535009C2 publication Critical patent/SE535009C2/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/34User authentication involving the use of external additional devices, e.g. dongles or smart cards
    • G06F21/35User authentication involving the use of external additional devices, e.g. dongles or smart cards communicating wirelessly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/08Payment architectures
    • G06Q20/10Payment architectures specially adapted for electronic funds transfer [EFT] systems; specially adapted for home banking systems
    • G06Q20/108Remote banking, e.g. home banking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3274Short range or proximity payments by means of M-devices using a pictured code, e.g. barcode or QR-code, being displayed on the M-device
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3276Short range or proximity payments by means of M-devices using a pictured code, e.g. barcode or QR-code, being read by the M-device
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/42Confirmation, e.g. check or permission by the legal debtor of payment
    • G06Q20/425Confirmation, e.g. check or permission by the legal debtor of payment using two different networks, one for transaction and one for security confirmation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/02Banking, e.g. interest calculation or account maintenance
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/08Upper layer protocols
    • H04W80/10Upper layer protocols adapted for application session management, e.g. SIP [Session Initiation Protocol]

Abstract

A system (1) for secure identification of a user (2) includes a mobile terminal (10) which is operatively connected to a telecommunications network (30) and to a data network (40). The system also includes a local device (20) which is operatively connected to the data network; and a server side (50) comprising at least one server (52a-n) operatively connected to the data network and at least one server (52a-n) operatively connected to the telecommunications network. The server side (50) is configured to initiate a communication session (42) with the local device (20) over the data network (40), said communication session having a session ID, to generate a representation (24) of the session ID and to transmit the representation to the local device over said data network. The local device (20) is configured to present the representation in a user interface (22) of the local device. The mobile terminal (10) is configured to capture the presented representation so as to derive the session ID, and to send a message containing the derived session ID to the server side over the data network. The server side is further configured to determine an identity of the mobile terminal on the telecommunications network, to verify the determined mobile terminal identity against prestored reference data (56) which links the mobile terminal identity to private user information (54) pertaining to the user (2), and, upon successful verification, to associate the communication session with the private user information.

Description

100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx l Secure user identification Technical FieldThe present invention relates to a system for secure identification of a user. Theinvention also relates to corresponding methods and associated computer program products.
BackgroundThe innovation generally relates to the problem of providing secure identi-fication of a user. As is well known per se, a digital identity is used for variouspurposes, for instance bank login, web page login, signing of payment transactions,signing of real world (retail store) transactions, access to personal digital services, etc.All computerized services based on private user information stored in an accountrequire and make benefit of a secure login or signing to access the private userinformation. Today and in the future more digital services will be available outside theworld wide web and be more integrated into real life. Flying with an airline today is anexample of a digital service where no pre-printed ticket is needed.Taking bank login as an example, the prevailing existing solutions make use of a separate portable authenticator or code generator (for instance VASCO DIGIPASS,which is used by the Swedish banks SEB and Swedbank). A user who wants to login tohis bank account will use a web client in a local device, such as a handheld, laptop orstationary computer, to visit the web site of the bank and select a login form. The bankserver will initiate a secure web session with the local device. In order to complete theestablishment of the secure web session, the bank server will require a secureidentification of the user. To this end, the user will have to enter some personalidentification data in the web login form, such as his social security number. Moreover,the user will enter a PIN code on his portable code generator together with at least onecontrol code shown by the bank server in the login form on the local device. Inresponse, the portable code generator will output a random code that the user reads andthen enters into the login form on the local device. The bank server will authenticate theuser by verifying that the entered random code matches the control code and has beengenerated by the particular code generator previously linked to the particular userhaving the entered personal identification data.
There are several drawbacks with this prior art solution. 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx 2 Firstly, the user Will have to bring and keep track of a separate device, namelythe portable code generator, Which is inconvenient for logistic reasons.
Secondly, the solution requires several steps of manual interaction by the user.In the example above, the user Will first have to enter his PIN code on a miniaturekeypad of the portable code generator. Such activity is prone to input errors caused bythe user pressing another key than the intended one. Then, the user Will enter hispersonal identification data in the login forrn. After that, the user Will have to visuallyread the generated control code on the display of the local device and correctly entereach digit thereof on the keypad of the portable code generator - again an activity Whichis exposed to input errors. Finally, the user Will have to read the generated random codefrom a small, monochrome display on the portable code generator (Which may bedifficult particularly When the ambient light conditions are poor, or if the user is avisually impaired person), and correctly enter each digit of the random code into thelogin form on the local device.
Thirdly, the solution is far from user friendly, since it is designed and dictatedsolely by the service provider (the bank) and not by or for the user and his need for aconvenient solution.
Fourthly, there is a security issue due to the fact that the control code Which theuser reads from the local device and enters on his code generator must be limited inlength for practical reasons. The more digits in the control code, the higher the risk thatthe user makes an input error by pressing the Wrong key on the keypad of the codegenerator. HoWever, a more complex (e. g. longer) control code Would have beenpreferred from a data security point of view, since that Would provide for a broader codespace Which is harder to break.
Fifthly, a personal integrity issue lies in the fact that the user has to reveal hispersonal identification data, e.g. his social security number, during the login procedure.
The present inventors have realized that there is room for improvements Withrespect to these problems, not only as regards the bank login example referred to above, but also When it comes to providing secure identification of a user in general.
Summary It is accordingly an object of the invention to eliminate or alleviate at leastsome of the problems referred to above.
As a conceptual idea behind the invention, the present inventors have realized that the manual steps required by a user to securely identify himself to a server side can 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx 3 be considerably reduced. The present inventors have also realized that the need for aseparate portable authenticator or code generator can be eliminated. Instead, inventiveuse can be made of a mobile terrninal and its unique identity on a telecommunicationsnetwork.
This conceptual idea has been reduced to practice at least according to theaspects and embodiments of the invention referred to below.
One aspect of the present invention therefore is a system for secureidentification of a user, the system comprising: a mobile terminal which is operativelyconnected to a telecommunications network and to a data network; a local device whichis operatively connected to the data network; and a server side comprising at least oneserver operatively connected to the data network and at least one server operativelyconnected to the telecommunications network. This system is characterized in that theserver side is conf1gured to initiate a communication session with said local device oversaid data network, said communication session having a session ID, to generate arepresentation of the session ID and to transmit the representation to the local deviceover said data network. The local device is configured to present the representation in auser interface of said local device. The mobile terminal is configured to capture thepresented representation so as to derive said session ID, and to send a messagecontaining the derived session ID to the server side over said data network. The serverside is further conf1gured to determine an identity of the mobile terminal on thetelecommunications network, to verify the deterrnined mobile terminal identity againstprestored reference data which links the mobile terminal identity to private userinformation pertaining to said user, and, upon successful verification, to associate saidcommunication session with said private user information.
In one or more embodiments, the data network is comprised in the Intemet oris compatible therewith. The local device may be a computer having a web clientapplication (such as Intemet Explorer, Mosaic, Netscape Navigator, NetscapeCommunicator, Opera, Mozilla Navigator, Mozilla Firefox, Safari or Google Chrome).The communication session may be a secure web session (such as an HTTPS(Hypertext Transfer Protocol Secure) session over TLS (Transport Layer Security) orSSL (Secure Sockets Layer (SSL). However, the invention is expressly not limited tocommunication sessions of this kind only, as will be clear from later sections of thisdocument.
It is to be emphasized that the term “session ID” is not limited to any particular format or constitution within the context of the present invention. Generally, any piece 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx 4 of data will qualify as “session ID”, so long as it a) serves to identify the communi-cation session for the server side, b) can be included in the representation sent to thelocal device, and c) can be derived by the mobile terminal having captured the presentedrepresentation on the local device.
In one or more embodiments, the telecommunications network is compliantwith one or more standards selected from the group consisting of: GSM, UMTS, LTE,D-AMPS, CDMA2000, FOMA or TD-SCDMA. However, within the context of thepresent invention, the scope of “telecommunications networ ” is not limited to any ofthese standards. On the contrary, any network capable of conveying communicationwith or between mobile devices is to be regarded as a “telecommunications networ ”,so long as the network has intelligence which is capable of assigning and detectingunique identities of mobile devices included in the network, and is capable of detectingwhen multiple mobile devices with the same identity attempt to access the network.
In one or more embodiments, the mobile terminal is configured to include, inthe message which contains the derived session ID and is sent on the data network,information about the mobile terminal identity it has on the telecommunicationsnetwork. The server side is configured to use this information which is included in saidmessage when verifying the deterrnined mobile terminal identity against the prestoredreference data. In other words, the server side bases its authentication of the mobileterminal both on the identity of the mobile terminal as reported in the message over thedata network and on the identify of the mobile terminal as detected on the telecom-munications network. This prevents malicious attempts to use another mobile terminal°sidentity. The mobile terminal identity may for instance be the IMSI (IntemationalMobile Subscriber Identity) stored on the SIM card in the mobile terminal, or themobile terminal”s hardcoded IMEI (Intemational Mobile Equipment Identity), orbasically any prestored unique identity information in the mobile terminal which isdetectable by the telecommunications network and which cannot be manipulated by auser.
In one or more embodiments, the server side is configured to generate therepresentation of the session ID in the form of graphical image data which contains anencoded version of the session ID and which can be visually presented on a display ofthe local device. Advantageously, the graphical image data is a two-dimensional bar-code such as a Quick Response (QR) code. However, other formats for therepresentation of the session ID are possible in other embodiments, including other graphical image formats but also non-visual formats such as for instance audio formats. 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal veifsiormdocx 5 Basically, any data format for the representation of the session ID is feasible, providedthat it i) can be transmitted by the server side to the local device over the data network,ii) can the presented by the local device in a user interface thereof (such as a displayscreen or a loudspeaker), and iii) can be captured by the mobile terrninal (using forinstance a camera or a microphone) and processed in order to derive the includedsession ID.
A second aspect of the invention is a method of secure identification of a userhaving access to a mobile terrninal operatively connected to a telecommunicationsnetwork, and to a local device operatively connected to a data network. The methodcomprises the steps, at a server side operatively connected to said data network and saidtelecommunications network, of: initiating a communication session over the data network with the local device,said communication session having a session ID; generating a representation of the session ID in a format suitable forpresentation in the user interface of the local device, in tum suitable for capture by themobile terminal upon presentation in said user interface so as to derive the session IDincluded in said representation; transmitting the representation to the local device over said data network; receiving from the mobile terminal over said data network a messagecontaining the derived session ID; deterrnining an identity of the mobile terminal on the telecommunicationsnetwork; verifying the deterrnined mobile terminal identity against prestored referencedata which links the mobile terminal identity to private user information pertaining tosaid user; and upon successful verification, associating said communication session, havingthe derived session ID, with said private user information.
A third aspect of the invention is a computer program product comprisingcomputer program code for performing the method according to the second aspect ofthe invention when said computer program code is executed by a processor.
A fourth aspect of the invention is a method of secure identification of a userhaving access to a mobile terminal operatively connected to a telecommunicationsnetwork, and to a local device operatively connected to a data network. The methodcomprises the steps, in said mobile terminal, of: capturing data presented in the user interface of the local device; 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx 6 processing the captured data to derive a session ID included therein, whereinthe session ID represents a communication session over the data network between thelocal device and a server side; sending a message containing the derived session ID to the server side over thedata network; and cooperating with the server side to allow deterrnination of an identity of themobile terminal on the telecommunications network.
A f1fth aspect of the invention is a computer program product comprisingcomputer program code for performing the method according to the fourth aspect of theinvention when said computer program code is executed by a processor.
Embodiments of the second to fifth aspects of the invention may generallyhave the same or directly corresponding features as any of the features referred to abovefor the first aspect.
Embodiments of the invention have an advantage in that secure useridentification is provided in a lo gistically improved manner by eliminating the need fora separate code generator.
Another advantage is that secure user identification can be made moreefficiently, since the manual interaction required from the user has been reduced.
Still an advantage is an improvement in terms of user friendliness.
Yet an advantage is an improvement in data security, since the steps of manualuser interaction to read a control code and enter it on a code generator have beeneliminated, which imposed a limitation on the complexity of the control code in theprior art.
Also, there is an advantage in terms of personal integrity, since the user will not have to expose any personal identification data during the login procedure.
Brief Description of the Drawings Objects, features and advantages of embodiments of the invention will appearfrom the following detailed description, reference being made to the accompanyingdrawings, in which: Fig 1 is a schematic illustration of a non-limiting example of a system forsecure identification of a user, in which embodiments of the present invention may be exercised; 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal veifsiormdocx 7 Fig 2 is a flow chart and signaling diagram illustrating some of the activitiesand messages which are perforrned and exchanged in the system of Fig 1 whenperforming a method for secure identification of a user; and Fig 3 illustrates a use case where an embodiment of the present invention is used for the purpose of logging in to an Intemet bank.
Detailed Description Embodiments of the invention will now be described with reference to theaccompanying drawings. The invention may, however, be embodied in many differentforms and should not be construed as limited to the embodiments set forth herein;rather, these embodiments are provided so that this disclosure will be thorough andcomplete, and will fully convey the scope of the invention to those skilled in the art.The terrnino lo gy used in the detailed description of the particular embodimentsillustrated in the accompanying drawings is not intended to be limiting of the invention.In the drawings, like numbers refer to like elements.
The invention will first be described on a general level with reference to asystem and a method for secure identification of a user shown in Figs 1 and 2. Then,some more detailed embodiments and use cases will be described.
Fig 1 illustrates a system 1 for secure identification of a user 2. The user 2 willuse a local device 20 to access a service provided over a data network 40 by one ormore servers 52a, 52b, 52n at a server side 50. The operation of the service is based atleast partially on some sort of private user information 54 pertaining to the user 2 andstored in a memory 55 accessible to at least one of the servers 52a-52n. The private userinformation 54 may for instance relate to a bank account, a payment transaction, orbasically any digital asset belonging to or associated with the user 2. The service mayfor instance be bank login, login to another web service, sign transaction, sign realworld transaction (like a VISA card payment), transfer money between users, or usingthe service as an electronic ticket.
The local device 20 may for instance be a stationary, portable or handheldcomputer running an appropriate client operating system and provided with softwarecapable of communicating with the user 2 through a user interface 22, as well as withthe server side 50 over a communication session 42 on the data network 40, to performthe requested service. Correspondingly, the servers 52a-52n may be any number of server computers or server computer arrays running appropriate server operating 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx 8 system(s) and being capable of providing the requested service to the user 2 over thecommunication session 42 on the data network 40.
The user 2 also has access to a mobile terminal 10, e.g. a mobile phone, smart-phone or personal digital assistant (PDA). According to the invention, the mobileterminal 10 plays an active role in the secure identification of the user 2. In addition tothis, the user 2 may of course use his mobile terminal 10 to conduct voice calls withother users which are accessible through a telecommunications network 30. In additionto voice calls, the user 2 may use various other telecommunications services, such asIntemet browsing, video calls, data calls, facsimile transmissions, still image trans-missions, video transmissions, electronic messaging, and e-commerce. None of thesetelecommunication services are however central within the context of the presentinvention; there are no limitations to any particular set of services in this respect.
The mobile terminal 10 connects to the telecommunications network 30 over aradio link 34 and a base station 32. The mobile terminal 10 and the telecommunicationsnetwork 30 may comply with any commercially available mobile telecommunicationsstandard, including but not limited to GSM, UMTS, LTE, D-AMPS, CDMA2000,FOMA and TD-SCDMA. A conventional public switched telephone network (PSTN)with various stationary telephone terrninals may be connected to the telecommuni-cations network 30.
The functionality performed in the system 1 in order to provide secureidentification of the user 2 can be summarized as follows. Initially, when the service isrequired by the user 1, a request may be sent from the local device 20 to the server side50 (see step 202 in Fig 2). In response, the communication session 42 will beestablished between the server side 50 and the local device 20. The communicationsession 42 will be assigned a session ID, see step 204 in Fig 2. The communicationsession 42 may for instance be a secure web session (such as HTTPS TLS or SSL)between a web client in the local device 20 and a web server at the server side 50, butother kinds of communication sessions are also possible. Notably, however, and unlikethe prior art approaches referred to in the Background section of this document, thecommunication session 42 will at this stage not be linked to any particular user, nor toany private user information at the server side 50. Instead, at this early stage, the session42 will be secure but anonymous in the sense that the server side 50 is unaware of theuser or private user information which it is to be associated with.
In order to determine who the session 42 relates to and obtain an authenticated session, the following measures are taken. In step 206, the server side 50 generates a 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx 9 representation of the session ID of the communication session 42. Advantageously, therepresentation takes the forrn of graphical image data, preferably a two-dimensionalbarcode such as a Quick Response (QR) code. However, other altematives for therepresentation generated in step 206 are also possible, as has been explained above inthe Summary section. In step 208, the server side 50 transmits the representation of thesession ID over the data network 40 to the local device 20, as seen at 209. Thetransmission 209 may be made in accordance with any standard or protocol applicablefor the type of communication session in question. For instance, when the session 42 isa web session and the representation is a QR code, the transmission 209 may involveembedding the QR code in html or xml code which is read by the local device 20 fromthe server side 50. Upon receipt of the transmitted representation at the local device 20,the local device 20 will present the received representation of the session ID in its userinterface 22. Continuing with the example given above, this may involve using a webclient application in the local device 20 for rendering the received html or xml code andpresenting the embedded QR code, as seen at 24 in Fig 1, on a display unit which is partof the user interface 22.
The user 2 may now use his mobile terminal 10 to proceed with his secureidentification to the server side 50. Initially, in a step 212, the user 2 will start a secureidentification application in his mobile terminal and login, for instance by entering aPIN code. The secure identification application may for instance be a Java applet ormidlet, or any other kind of executable piece(s) of software written in an appropriateprogramming language which is compatible with the operating system of the mobileterminal. The application is responsible for performing or controlling the essential partsof the mobile terrninal-side functionality shown in Fig 2.
Thus, in step 214, the user 2 will use his mobile terminal to capture therepresentation 24 as presented in the user interface 22 of the local device. In thedisclosed embodiment where the representation is in the form of a graphical QR code,the capture will be done by taking a photograph of the shown QR code 24 by means of acamera 12 included in the mobile terminal 10. The photograph may be subjected toimage pre-processing, if appropriate, in order to enhance the readability of its contents.Then, the mobile terminal will process the representation included in the image byappropriate object recognition algorithms in order to derive the session ID.
In step 216, the mobile terminal 10 will compose a message 217 whichcontains the derived session ID from step 214. The message 217 will be sent to the server side 50 over an appropriate communication channel, such as a TLS or SSL 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx connection over the data network 40. The message 217 also contains an identifier of themobile terrninal on the telecommunications network 30, for instance its IMSI or IMEInumber. Advantageously, the derived session ID, and possibly other content of themessage 217, is encrypted with an encryption key stored in the mobile terminal 10. Anyopen or proprietary encryption standard may be used for such encryption, including butnot limited to AES (“Advanced Encryption Standard”) or DES (“Digital EncryptionStandard”). The encryption key may for instance have been received in the mobileterminal in conjunction with retrieval and installation of the secure identificationapplication in the mobile terminal 10.
On the server side 50, the message 217 is received in step 218 over the datanetwork 40. The message is analyzed to determine the mobile terminal identifierincluded therein. When encryption has been applied, the server side 50 may useprestored reference data 56 in a secure database 57 to retrieve a decryption key suitablefor the mobile terminal 10 in question, as identified by the mobile terminal identifier.Such decryption key may have been stored in the prestored reference data 56 in con-junction with the mobile terminal°s 10 retrieval and installation of the secure identi-fication application. Following decryption, if applicable, the derived session IDincluded in the message 217 is deterrnined in step 218.
In order to verify that the message 217 with its derived session ID trulyoriginates from the mobile terminal 10 and not from another mobile terminalmaliciously trying to act as the mobile terminal 10, in step 219 the server side deter-mines the identity of the mobile terminal 10 also via the telecommunications network30. In other words, the server side 50 uses the inherently secure and non-public natureof the telecommunications network 30 to verify that the IMSI, IMEI, etc, of the mobileterminal 10, as reported in the message 217 over the data network 30, is the same as theIMSI, IMEI, etc, detected for the mobile terminal 10 on the telecommunicationsnetwork 30.
To this end, the deterrnination in step 219 of the identity of the mobile terminal10 on the telecommunications network 30 may be done by way of a message such as adata SMS or MMS sent from the mobile terminal 10 (see step 221 in Fig 2) to a tele-communications server included among servers 52a-52n. The server side 50 mayretrieve the identity (i.e. the IMSI) of the mobile terminal 10 from the header section ofthis SMS or MMS message. Altematively, the deterrnination in step 219 may start withthe server side 50 sending a challenge request in a message such as a data SMS or an MMS to the mobile terminal 10 over the telecommunications network 30. Upon receipt, 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx ll the mobile terminal 10 may generate and send a challenge response over a secureconnection on the data network 40 to the server side 50 in step 221. Only the truemobile terrninal 10 will receive the challenge request over the telecommunicationsnetwork 30; therefore, when the server side 50 receives the challenge response, it knowsthat it must have come from the true mobile terrninal 10 and has therefore indirectlydeterrnined the mobile terminal°s 10 identity on the telecommunications network 30.
Instead of sending a message, the deterrnination of the identity of the mobileterrninal 10 on the telecommunications network 30 may involve placing a data call instep 221 from the mobile terrninal 10 to the telecommunications server. Upon receivingthe incoming data call in step 219, the telecommunications server may determine theidentity of the terrninal 10 as the Caller Identification (CID), Calling Line Identification(CLID), Calling Number Identification (CNID), etc, depending on implementation.
As still other altematives, the server side 50 may use other inherent propertiesof the telecommunications network 30 to determine the identity of the mobile terrninal10 on the telecommunications network 30. This may, for instance, involve referral tosystem databases which are integral parts of the telecommunications network 30, suchas a HLR (“Home Location Register”) or VLR (“Visiting Location Register”) in whichthe IMSI and IMEI of mobile terrninals in the network 30 are included. This may becombined with deterrnination of the cell ID for the cell in the network 30 that theterrninal 10 is currently residing in, and matching with a self-reported cell ID as part ofthe message 217 over the data network 40. The skilled person will understand that thereare many options for deterrnining the true identity of a mobile terrninal on a telecom-munications network, and the invention is not limited in any particular way.
Once the identity of the mobile terrninal 10 on the telecommunications network30 has been deterrnined in step 219, the server side 50 may verify in step 220 that thisidentity is the same as the mobile terrninal identifier reported in the message 217 overthe data network 30. If the secure identification application is copied to other devices orcomputers than the true mobile terrninal 10, or if a communication is started by some-one simulating the application, the server side 50 will know that the communication isnot sent by the true mobile terrninal 10. Even though the communication sent by theintruder will simulate all information sent through the data network 40 (wherein theserver side 50 may fail to detect that data is sent by someone else than the true user 2 onthe data network 40), the server side 50 will nevertheless detect that the application does not communicate using the true mobile terrninal on the telecommunications network 30. 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal veifsiormdocx 12 The server side 50 will therefore know that the communication is not sent by theverified hardware.
Moreover, in step 220, the deterrnined mobile terminal identity will be verifiedagainst the prestored reference data 56 which links the mobile terrninal identity to theprivate user information 54 that pertains to the user 2 and is stored in the memory 55.Upon successful Verification in step 220, the communication session 42 as created instep 204 can be associated with the private user information 54 of the user 2 in asubsequent step 222. This can be done through the use of the session ID, which wasassigned to the communication session 42 in step 204 and which is also available in themessage 217 reported from the mobile terminal 10 to the server side 50 after capturingof the representation of the session ID on the local device 20. As a result of step 222,the secure communication session 42 has now become an authenticated session, see step224, in the sense that it is now associated at the server side 50 with the particular user 2and his private user information 54.
The secure user identification procedure described above requires retrieval andinstallation of a secure identification application in the mobile terminal. In embodimentsof the invention, this may be done in a secure and yet convenient manner in thefollowing manner. First, the user 2 will download the software that will constitute thesecure identification application to his mobile terminal 10. This may be done in theconventional way, e. g. in a web session, an ftp session, as an attachment to an emailmessage, over a serial interface such as USB, etc. Altematively, it may for instance bedone by scanning a QR-coded version of the software being presented at for instance aweb site and interpreting the scanned QR code as software code.
The thus obtained software will then be installed in the mobile terminal 10. Theuser 2 may advantageously be prompted to set a PIN code to be used for subsequentuses of the secure identification application (e. g. in login step 212 of Fig 2).
During installation, or the first time the application is run, the user 2 will beadvised to establish a secure web session between the local device 20 and the serverside 50 over the data network 40. When the server side 50 is an Intemet bank, the user 2may be prompted with an essentially conventional login screen, where the user 2 isasked to enter his personal identification data, read a presented control code and enter iton his code generator, and then enter the random code generated by the code generator -much like the prior art approach described in the Background section of this document.
However, unlike the prior art approach, the server side 50 will generate a QR code and 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx 13 show it on the local device 20. The user 2 will be prompted to scan the QR code usingthe built-in camera of his mobile terminal 10.
The mobile terminal 10 will respond to the server side 50 in a handshakeoperation, in which the scanned QR code is sent together with an identifier (eg. IMSI,IMEI) of the mobile terminal 10 over the data network 30. In retum, in implementationswhere encryption is used for the exchange of information in steps 216-218 of Fig 2, theserver side 50 will respond with an encryption key to be stored in local and preferablysecure memory in the mobile terminal 10. The server side 50 may also verify thereceived mobile terminal identifier by deterrnining the identity of the mobile terminal10 on the telecommunications network 30 in much the same way as has been describedabove with reference to steps 219-221 of Fig 2. Upon successful verification, the serverside 50 may insert or update a record in the prestored reference data 56 to create a linkbetween the user 2, the identity of his mobile terminal 10 and his private userinformation 54. From now on, the user 2 will no longer need to use his code generatorfor logging in to his Intemet bank (etc); instead he can conveniently log in by using hismobile terminal and capturing QR codes with the built-in camera.
Fig 3 illustrates a use case where the user 2 makes benef1cial use of the presentinvention when logging in to his Intemet bank from a local device 20. In the situationshown in Fig 3, the user 2 has already requested a secure web session with the bankserver at the server side 50 by for instance clicking on a “Login with my Phone” link onthe home page of the Intemet bank in question. In other words, steps 202 and 204 of Fig2 have already been performed. In response, the bank server initiates the communicationsession 42 and assigns its session ID. Also see step 204 of Fig 2. The bank server alsogenerates the representation of the session ID in the form of a QR code 24, andtransmits it to the local device 20. Upon receipt, the local device 20 presents the QRcode 24 in its user interface 22. See steps 206-210 of Fig 2. Possibly encouraged by analert in the user interface 22 of the local device 20, or merely triggered by theappearance of the QR code 24, the user 2 tums to his mobile terminal 10 and launchesthe secure identification application, see step 212 of Fig 2. This is illustrated at theleftmost solid circle “1” in Fig 3. The user 2 also enters his PIN code in the userinterface of the mobile terminal 10.
As is illustrated at the centered solid circle “2” in Fig 3, the user 2 scans theQR code 24 by using the built-in camera 12 of this mobile terminal to capture an image(photograph). What follows now are steps 214 through 222 of Fig 2, ending with a successful authentication of the communication session 42 in step 224. This also means 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx 14 that the user 2 has been signed in to his bank account represented by his private userinforrnation 54 at the bank server. See the rightmost solid circle “3” in Fig 3.
This use case illustrates utterly well some of the merits of the invention, thanksto the simplicity and convenience of the interaction performed by the user 2. Variousother use cases are however equally possible within the scope of the invention. Forinstance, one such altemative use case is when the user 2 has already logged in to hisIntemet bank and now wants to sign a bank transaction, such as the payment of aninvoice by way of a giro transfer. The procedure is very similar; when it is time torequest a signature of the transaction from the user 2, the bank server will initiate asecure session for the transaction; a QR code representing the session ID of this sessionwill be transmitted to the local device 20 and shown on its display; the user 2 will scanthe QR code with his mobile terminal 10; and, at the end, the server side 50 will regardthe transaction session as authenticated and, in effect, the transaction as duly signed bythe user 2.
A similar altemative use case is sign in to other web services or accounts thanIntemet bank-related ones. Essentially the same process is used for sign in to such otherweb services or accounts.
Still another altemative use case is payment in conjunction with e-commerce.A user enters a store on an Intemet site and wants to complete a purchase. The Intemetstore requests an ID from an ID server comprised among the servers 52a-52n at theserver side 50. The user uses his mobile terminal and scans the QR code displayed inthe web browser. The displayed QR code includes information about the ID. The user°sapplication in the mobile terminal sends the scanned ID to the ID server. The ID servernow knows who scanned the QR code. It also receives information from thetelecommunications network telling it that the application is still running on theregistered mobile terminal. If connected to the user°s bank or bank account, the IDserver can now withdraw money from the user. The ID server then sends information tothe Intemet store about the completed transaction. Finally, the Intemet store can displayinformation about the successful payment and complete the purchase.
Yet another altemative use case is payment in real life. The approach providedby the invention is applicable also to payments in real world. The cash register orterminal acts as the local device and displays a QR code. There now exists a com-munication session in the form of a “cash terminal - server” session instead of a web session. 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx The method described above With reference to Fig 2 may be embodied as acomputer program product comprising computer program code for performing theserver-side parts of the method When the computer program code is executed by aprocessor, for instance embodied in any of the servers 52a-52n in Fig 1. The methodmay also be embodied as a computer readable medium having stored thereon acomputer program comprising computer program code for performing the method Whenthe computer program code is executed by a processor. Again the processor may forinstance be embodied in any of the servers 52a-52n in Fig 1. The computer readablemedium may for instance be any of the memories 55, 57 in Fig 1, or another plausiblemedium including but not limited to an optical disc (e. g. CD or DVD), a portable semi-conductor memory (e.g. USB stick), a magnetic disc, or a f1le server accessible in acomputer network such as the Intemet.
Furthermore, the method described above With reference to Fig 2 may beembodied as a computer program product (e.g. a phone app) comprising computerprogram code for performing the mobile terminal parts of the method When thecomputer program code is executed by a processor in the mobile terminal 10. Themethod may also be embodied as a computer readable medium having stored thereon acomputer program comprising computer program code for performing the method Whenthe computer program code is executed by a processor in the mobile terminal 10. Thecomputer readable medium may be any plausible medium including but not limited toan optical disc (e.g. CD or DVD), a portable semi-conductor memory (e.g. USB stick),a magnetic disc, or a f1le server accessible in a computer network such as the Intemet.
The invention has been described above in detail With reference toembodiments thereof. HoWever, as is readily understood by those skilled in the art,other embodiments are equally possible Within the scope of the present invention, as def1ned by the appended claims.

Claims (10)

1. A system (1) for secure identification of a user (2), the system comprising: a mobile terminal (10) Which is operatively connected to a telecommunicationsnetwork (30) and to a data network (40); a local device (20) which is operatively connected to the data network; and a server side (50) comprising at least one server (52a-n) operatively connectedto the data network and at least one server (52a-n) operatively connected to the telecom-munications network, the system being characterized in that the server side (50) is configured to initiate a communication session (42) withsaid local device (20) over said data network (40), said communication session having asession ID, to generate a representation (24) of the session ID and to transmit therepresentation to the local device over said data network; the local device (20) is configured to present the representation in a userinterface (22) of said local device; the mobile terminal (10) is configured to capture the presented representationso as to derive said session ID, and to send a message containing the derived session IDto the server side over said data network; and the server side (5 0) is further configured to determine an identity of the mobileterminal on the telecommunications network, to verify the deterrnined mobile terminalidentity against prestored reference data (5 6) which links the mobile terminal identity toprivate user information (54) pertaining to said user (2), and, upon successful veri- fication, to associate said communication session with said private user information.
2. The system according to claim 1, wherein:said data network (40) is comprised in the Intemet or is compatible therewith;said local device (20) is a computer having a web client application; and said communication session (42) is a secure web session.
3. The system according to claim 1 or 2, wherein: said telecommunications network (3 0) is compliant with one or more standardsselected from the group consisting of: GSM, UMTS, LTE, D-AMPS, CDMA2000,FOMA or TD-SCDMA.
4. The system according to any preceding claim, wherein: 100709 I:\PATRAWIN\COPY\BA\P10367000lfApplication textffinal versiormdocx 17 the mobile terminal (10) is configured to include, in the message whichcontains the derived session ID and is sent on the data network, information about themobile terminal identity it has on the telecommunications network; and the server side (5 0) is configured to use this information which is included insaid message when verifying the deterrnined mobile terminal identity against the prestored reference data.
5. The system according to any preceding claim, wherein:the server side is configured to generate the representation (24) of the sessionID in the form of graphical image data which contains an encoded version of the session ID and which can be visually presented on a display (22) of the local device (20).
6. The system according to claim 5, wherein:the graphical image data is a two-dimensional barcode such as a QuickResponse (QR) code.
7. A method of secure identification of a user (2) having access to a mobileterminal (10) operatively connected to a telecommunications network (40), and to alocal device (20) operatively connected to a data network (3 0), the method comprisingthe steps, at a server side (50) operatively connected to said data network and saidtelecommunications network, of: initiating (204) a communication session (42) over the data network with thelocal device, said communication session having a session ID; generating (206) a representation (24) of the session ID in a format suitable forpresentation in the user interface (22) of the local device, in tum suitable for capture bythe mobile terminal (10) upon presentation in said user interface so as to derive thesession ID included in said representation; transmitting (208) the representation to the local device over said data network; receiving (218) from the mobile terminal over said data network a message(217) containing the derived session ID; deterrnining (219) an identity of the mobile terminal on the telecom-munications network (40); verifying (220) the deterrnined mobile terminal identity against prestoredreference data (5 6) which links the mobile terminal identity to private user information (54) pertaining to said user (2); and 100709 I:\PATRAWIN\COPY\BA\PI0367000lfApplication textffinal versiormdocx 18 upon successful verification, associating (222) said communication session, having the derived session ID, with said private user information.
8. A computer program product comprising computer program code forperforming the method according to claim 7 when said computer program code is executed by a processor (52a-52n).
9. A method of secure identification of a user (2) having access to a mobileterminal (10) operatively connected to a telecommunications network (40), and to alocal device (20) operatively connected to a data network (40), the method comprisingthe steps, in said mobile terminal (l0), of: capturing (2l4) data presented in the user interface (22) of the local device(20); processing (2l4) the captured data to derive a session ID included therein,wherein the session ID represents a communication session (42) over the data networkbetween the local device and a server side (50); sending (216) a message (2l7) containing the derived session ID to the serverside over the data network; and cooperating (22l) with the server side to allow deterrnination of an identity of the mobile terminal on the telecommunications network (3 0).
10. l0. A computer program product comprising computer program code forperforming the method according to claim 9 when said computer program code is executed by a processor (l0).
SE1050777A 2010-07-09 2010-07-09 Secure user identification SE535009C2 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
SE1050777A SE535009C2 (en) 2010-07-09 2010-07-09 Secure user identification
PCT/SE2011/050686 WO2012005653A1 (en) 2010-07-09 2011-06-01 Secure user identification

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
SE1050777A SE535009C2 (en) 2010-07-09 2010-07-09 Secure user identification

Publications (2)

Publication Number Publication Date
SE1050777A1 SE1050777A1 (en) 2012-01-10
SE535009C2 true SE535009C2 (en) 2012-03-13

Family

ID=45441421

Family Applications (1)

Application Number Title Priority Date Filing Date
SE1050777A SE535009C2 (en) 2010-07-09 2010-07-09 Secure user identification

Country Status (2)

Country Link
SE (1) SE535009C2 (en)
WO (1) WO2012005653A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2988550A1 (en) * 2012-03-20 2013-09-27 Acecor Cotep Communication system for use in public space i.e. shopping center, has personal terminal utilized by user of system, and interactive conversational terminal primarily consisted of display screen with multiple programmable windows
SG11201405287YA (en) * 2012-04-01 2014-09-26 Authentify Inc Secure authentication in a multi-party system
EP2693687B1 (en) * 2012-08-02 2016-10-05 Banco Bilbao Vizcaya Argentaria, S.A. Method for generating a code, authorization method and authorization system for authorizing an operation
EP2779709B1 (en) * 2013-03-14 2020-02-05 Samsung Electronics Co., Ltd Application connection for devices in a network
JP6379513B2 (en) 2013-03-15 2018-08-29 株式会社リコー Information processing system, information processing system control method, information processing apparatus, information processing apparatus control method, and program
CN110995689A (en) 2013-06-24 2020-04-10 阿里巴巴集团控股有限公司 Method and device for user identity authentication
CN103825871B (en) * 2013-07-31 2015-05-27 深圳光启创新技术有限公司 Authentication system and emission terminal, reception terminal and authority authentication method thereof
CN104980393B (en) * 2014-04-02 2018-11-13 阿里巴巴集团控股有限公司 Method of calibration, system, server and terminal
WO2016089927A1 (en) * 2014-12-02 2016-06-09 Chipp'd Ltd. System for facilitating the delivery of private information to and from multiple client devices
US11562351B2 (en) * 2019-08-09 2023-01-24 Its, Inc. Interoperable mobile-initiated transactions with dynamic authentication

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101290989B1 (en) * 2006-08-09 2013-07-30 삼성전자주식회사 Method and apparatus for providing financial service using mobile station in packet data system and system thereof
GB2447059B (en) * 2007-02-28 2009-09-30 Secoren Ltd Authorisation system
US8935187B2 (en) * 2007-03-07 2015-01-13 Playspan, Inc. Distributed payment system and method
WO2008156424A1 (en) * 2007-06-21 2008-12-24 Fredrik Schell Method for verification of a payment, and a personal security device for such verification
US7845558B2 (en) * 2007-09-28 2010-12-07 First Data Corporation Accessing financial accounts with 3D bar code
EP2199965A1 (en) * 2009-04-22 2010-06-23 Euro-Wallet B.V. Payment transaction client, server and system

Also Published As

Publication number Publication date
WO2012005653A1 (en) 2012-01-12
SE1050777A1 (en) 2012-01-10

Similar Documents

Publication Publication Date Title
SE1050777A1 (en) Secure user identification
US10360561B2 (en) System and method for secured communications between a mobile device and a server
US8966096B2 (en) Device-pairing by reading an address provided in device-readable form
US10552823B1 (en) System and method for authentication of a mobile device
US11281762B2 (en) Method and apparatus for facilitating the login of an account
CN105591744B (en) A kind of genuine cyber identification authentication method and system
US10299118B1 (en) Authenticating a person for a third party without requiring input of a password by the person
JP5719871B2 (en) Method and apparatus for preventing phishing attacks
TWI449394B (en) User authentication, verification and code generation system maintenance subsystem
US9596237B2 (en) System and method for initiating transactions on a mobile device
AU2011342282B2 (en) Authenticating transactions using a mobile device identifier
US8220030B2 (en) System and method for security in global computer transactions that enable reverse-authentication of a server by a client
US20170279788A1 (en) Secure remote password retrieval
US9256724B2 (en) Method and system for authorizing an action at a site
CN107241339A (en) Auth method, device and storage medium
US10027642B2 (en) Method of access by a telecommunications terminal to a database hosted by a service platform that is accessible via a telecommunications network
KR20170140215A (en) Methods and systems for transaction security
CN110719252A (en) Methods, systems, and computer readable media for authorizing transactions over a communication channel
EP3826260A1 (en) Service agent authentication
JP6584824B2 (en) Transaction system, transaction method, and information recording medium
WO2015186372A1 (en) Transaction system, transaction method, and information recording medium
TWM583082U (en) User identity verification system for safety transaction environment
US10701058B1 (en) System and method for user identification and authentication
Garba A new secured application based mobile banking model for Nigeria
US20210194919A1 (en) System and method for protection against malicious program code injection