US20160212126A1 - Secure identity authentication in an electronic transaction - Google Patents

Secure identity authentication in an electronic transaction Download PDF

Info

Publication number
US20160212126A1
US20160212126A1 US14/597,827 US201514597827A US2016212126A1 US 20160212126 A1 US20160212126 A1 US 20160212126A1 US 201514597827 A US201514597827 A US 201514597827A US 2016212126 A1 US2016212126 A1 US 2016212126A1
Authority
US
United States
Prior art keywords
code
complete
computer
mobile
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US14/597,827
Other versions
US9413757B1 (en
Inventor
Saravanan Sadacharam
Ram Viswanathan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US14/597,827 priority Critical patent/US9413757B1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: VISWANATHAN, RAM, SADACHARAM, SARAVANAN
Publication of US20160212126A1 publication Critical patent/US20160212126A1/en
Application granted granted Critical
Publication of US9413757B1 publication Critical patent/US9413757B1/en
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements, e.g. access security or fraud detection; Authentication, e.g. verifying user identity or authorisation; Protecting privacy or anonymity ; Protecting confidentiality; Key management; Integrity; Mobile application security; Using identity modules; Secure pairing of devices; Context aware security; Lawful interception
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0861Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using biometrical features, e.g. fingerprint, retina-scan
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3223Realising banking transactions through M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • G06Q20/3276Short range or proximity payments by means of M-devices using a pictured code, e.g. barcode or QR-code, being read by the M-device
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/405Establishing or using transaction specific rules
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/121Timestamp

Abstract

An approach is provided for securely authenticating an identity of a user participating in an electronic transaction. A request is received from a mobile device to initiate the electronic transaction. Attributes of the user and request are received. A request is selected for a biometric identifier or a security question to authenticate the identity of the user. The request for the biometric identifier or security question is converted to a complete Quick Response (QR) code. Based on the user and request attributes, the complete QR code is disassembled into first and second portions by employing a disassembly algorithm. The first portion, but not the second portion, is sent to the mobile device, which prevents an entity other than the user and the enterprise from obtaining the request for the biometric identifier or security question by capturing network traffic that includes the electronic transaction.

Description

    TECHNICAL FIELD
  • The present invention relates to managing an electronic transaction, and more particularly to securely authenticating an identity of a party to an electronic transaction.
  • BACKGROUND
  • With the advent of mobile device-based payments and new online fraud patterns, authentication of an identity of a user participating in an electronic transaction over the Internet has become more challenging. Forms of identity authentication include security questions and biometric identifiers (e.g., fingerprints). The security of identify authentication is vulnerable because attackers capture and log wireless network traffic that includes transmissions of security questions, answers to security questions, biometric identifiers and requests for particular biometric identifiers. After being unlawfully captured or captured without permission from the parties to the transaction, information needed to authenticate an identity is used to perform fraudulent transactions.
  • BRIEF SUMMARY
  • In a first embodiment, the present invention provides a method of securely authenticating an identity of a user participating in an electronic transaction with an enterprise. The method includes a computer receiving a request from a mobile device of the user to initiate the electronic transaction and receiving information that specifies attributes of the user and the request. The method further includes the computer selecting a request for a biometric identifier or a security question to authenticate the identity of the user. The method further includes the computer converting the selected request for the biometric identifier or the security question to a first complete Quick Response (QR) code. The method further includes based on the information that specifies the attributes of the user and the request, the computer disassembling the first complete QR code into first and second portions of the first complete QR code. The first portion of the first complete QR code is selected by a QR code disassembly algorithm. The first and second portions of the first complete QR code do not have an element in common. The method further includes the computer sending to the mobile device the first portion of the first complete QR code, but not the second portion of the first complete QR code, which prevents an entity other than the user and the enterprise from obtaining the request for the biometric identifier or the security question by capturing network traffic that includes the electronic transaction.
  • In a first aspect of the present invention, the method further includes in response to a scan of the first portion of the first complete QR code by the mobile device, a reassembly of the first complete QR code by the mobile device which employs the first portion of the first complete QR code and a QR code assembly algorithm, a display by the mobile device of the request for the biometric identifier or the security question, a receipt by the mobile device of the biometric identifier or an answer to the security question, a conversion of the biometric identifier or the answer to the security question to a second complete QR code, a disassembly of the second complete QR code into first and second portions of the second complete QR code by employing the QR code disassembly algorithm, and a transmission of the first portion of the second complete QR code from the mobile device to the computer, the computer reassembling the second complete QR code by employing the QR code assembly algorithm and the first portion of the second complete QR code, which prevents the entity other than the user and the enterprise from obtaining the biometric identifier or the answer to the security question by capturing the network traffic that includes the electronic transaction.
  • In a second aspect of the present invention, the method further includes the computer extracting the biometric identifier or the answer to the security question from the second complete QR code. The method further includes the computer determining whether the extracted biometric identifier or the answer to the security question matches a record in a data repository that includes biometric identifiers or answers to security questions. The method further includes if the extracted biometric identifier or the extracted answer to the security question matches the record in the data repository, the computer authorizing the electronic transaction or if the extracted biometric identifier or the extracted answer to the security question does not match any record in the data repository, the computer indicating the electronic transaction is not authorized.
  • In a third aspect of the present invention, the reassembly of the first complete QR code by the mobile device is performed in response to the mobile device generating a plurality of initial potential QR codes of a plurality of requests for biometric identifiers or a plurality of security questions. The reassembly of the first complete QR code by the mobile device is performed further in response to the mobile device deleting portions of the respective initial potential QR codes by employing the QR code disassembly algorithm and the information that specifies the attributes of the user and the request, where each of the deleted portions matches a shape of the first portion of the first complete QR code. The reassembly of the first complete QR code by the mobile device is performed further in response to the mobile device generating new potential QR codes by filling in the deleted portions with the first portion of the first complete QR code. The reassembly of the first complete QR code by the mobile device is performed further in response to the mobile device determining that one of the new potential QR codes matches one of the initial potential QR codes in the plurality of initial potential QR codes. The reassembly of the first complete QR code by the mobile device is performed further in response to, based on the one new potential QR code matching one of the initial potential QR codes, the mobile device determining the one new potential QR code is the reassembly of the first complete QR code.
  • In a fourth aspect of the present invention, the step of reassembling the second complete QR code by employing the QR code assembly algorithm and the first portion of the second complete QR code includes the computer generating a plurality of initial potential QR codes of a plurality of biometric identifiers or a plurality of answers to the security questions. The step of reassembling the second complete QR code by employing the QR code assembly algorithm and the first portion of the second complete QR code further includes the computer deleting portions of the respective initial potential QR codes by employing the QR code disassembly algorithm and information that specifies the attributes of the user and the transmission of the first portion of the second complete QR code, where each of the deleted portions matches a shape of the first portion of the second complete QR code. The step of reassembling the second complete QR code by employing the QR code assembly algorithm and the first portion of the second complete QR code further includes the computer generating new potential QR codes by filling in the deleted portions with the first portion of the second complete QR code; the computer determining that one of the new potential QR codes matches one of the initial potential QR codes in the plurality of initial potential QR codes. The step of reassembling the second complete QR code by employing the QR code assembly algorithm and the first portion of the second complete QR code further includes based on the one new potential QR code matching one of the initial potential QR codes, the mobile device determining the one new potential QR code is a reassembly of the second complete QR code.
  • In a fifth aspect of the present invention, the step of receiving the information that specifies the attributes of the user and the request includes the computer completing a handshake with the mobile device and recording a timestamp of the handshake, where the information that specifies the attributes of the request includes the timestamp, and where the step of disassembling the first complete QR code into the first and second portions of the first complete QR code includes selecting the first portion of the first complete QR code based at least in part on the recorded timestamp.
  • In a sixth aspect of the present invention, the method further includes prior to any transaction between the user and the enterprise, the computer storing a plurality of security questions, receiving from the user and storing a plurality of biometric identifiers of the user or a plurality of answers to the security questions, and generating and storing a plurality of requests for the biometric identifiers. The method further includes subsequent to the step of receiving the request to initiate the electronic transaction, the computer determining the electronic transaction is a banking transaction for an amount of money that exceeds a threshold amount. The method further includes based on the banking transaction being for an amount of money exceeding the threshold amount, the computer utilizing a random number generator which randomly selects the request for the biometric identifier from the plurality of requests for the biometric identifiers or the security question from the plurality of security questions.
  • In a second embodiment, the present invention provides a computer program product including a computer-readable storage device and a computer-readable program code stored in the computer-readable storage device. The computer-readable program code includes instructions that are executed by a central processing unit (CPU) of a computer system to implement a method of securely authenticating an identity of a user participating in an electronic transaction with an enterprise. The method includes the computer system receiving a request from a mobile device of the user to initiate the electronic transaction and receiving information that specifies attributes of the user and the request. The method further includes the computer system selecting a request for a biometric identifier or a security question to authenticate the identity of the user. The method further includes the computer system converting the selected request for the biometric identifier or the security question to a first complete Quick Response (QR) code. The method further includes based on the information that specifies the attributes of the user and the request, the computer system disassembling the first complete QR code into first and second portions of the first complete QR code. The first portion of the first complete QR code is selected by a QR code disassembly algorithm. The first and second portions of the first complete QR code do not have an element in common. The method further includes the computer system sending to the mobile device the first portion of the first complete QR code, but not the second portion of the first complete QR code, which prevents an entity other than the user and the enterprise from obtaining the request for the biometric identifier or the security question by capturing network traffic that includes the electronic transaction.
  • In a third embodiment, the present invention provides a method of securely authenticating an identity of a user participating in an electronic transaction with an enterprise. The method includes a mobile device of the user sending a request to a server computer of the enterprise to initiate the electronic transaction. The method further includes the mobile device receiving information that specifies attributes of the user and the request to initiate the electronic transaction. The method further includes in response to a selection of a request for a biometric identifier or a security question to authenticate the identity of the user, a conversion of the selected request for the biometric identifier or the security question to a first complete Quick Response (QR) code, a disassembly of the first complete QR code into first and second portions of the first complete QR code by a QR code disassembly algorithm based on the information that specifies the attributes of the user and the request to initiate the electronic transaction, where the first and second portions of the first complete QR code do not have an element in common, the mobile device receiving from the server computer the first portion of the first complete QR code, but not the second portion of the first complete QR code, which prevents an entity other than the user and the enterprise from obtaining the request for the biometric identifier or the security question by capturing network traffic that includes the electronic transaction.
  • Embodiments and aspects of the present invention summarized above provide enhanced security for authentication whenever establishing the identity of a person is critical, such as conducting high value financial transactions, making life altering decisions, managing war heads, etc. Transmission of a portion of a QR code that specifies biographic information or biometric identifiers facilitates prevention of a malicious entity from intercepting the transmission of authentication requests to a mobile device or computer or the transmission of authentication data from a mobile device or computer during an electronic transaction. Embodiments of the present invention can coexist with existing biographic based authentication.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a block diagram of a system for securely authenticating an identity of a user participating in an electronic transaction with an enterprise, in accordance with embodiments of the present invention.
  • FIGS. 2A-2C depict a flowchart of a process of securely authenticating an identity of a user participating in an electronic transaction with an enterprise, where the process is implemented in the system of FIG. 1, in accordance with embodiments of the present invention.
  • FIG. 3 is a block diagram of a computer or mobile device that is included in the system of FIG. 1 and that implements the process of FIGS. 2A-2C, in accordance with embodiments of the present invention.
  • DETAILED DESCRIPTION Overview
  • Embodiments of the present invention sends a portion of a complete QR code during an electronic transaction between a first computer (e.g., mobile device) and a second computer, where the QR code specifies authentication information which authenticates the identity of a user of the first computer. By sending only a portion of the complete QR code, rather than the complete QR code, embodiments of the present invention prevent a malicious entity from (1) intercepting the authentication information or (2) intercepting the complete QR code and deriving the authentication information from the intercepted complete QR code, and subsequently using the authentication information for a fraudulent transaction.
  • System for Secure Authentication of an Identity in an Electronic Transaction
  • FIG. 1 is a block diagram of a system 100 for securely authenticating an identity of a user participating in an electronic transaction with an enterprise, in accordance with embodiments of the present invention. System 100 includes a computer 102 and a mobile device 104, between which data for electronic transactions is transmitted via a computer network 106. Computer 102 executes a software-based identity authentication tool 108, which accesses a data repository 110 that includes biometric identifiers and requests for biometric identifiers 112, security questions and answers to security questions 114, and biographical information 116 about a user of mobile device 104 and other users of computers and mobile devices that participate in electronic transactions with computer 102. Biometric identifiers 112 include, for example, one or more fingerprints of the user of mobile device 104. Security questions 114 are authenticators used by enterprises such as banks, cable companies and wireless providers to provide an extra layer of security, and include, for example, a question that asks a user the make and model of the user's first car. Biographical information 116 includes, for example, a user's date of birth or social security number.
  • Identity authentication tool 108 generates a QR code 118 that specifies one of the requests for biometric identifiers 112 or one of the security questions 114. Identity authentication tool 108 generates a portion 120 of QR code 118 by applying a disassembly algorithm (not shown) to disassemble QR code 118 into a first portion that is to be transmitted to mobile device 104 and a second portion that is not transmitted to mobile device 104. The disassembly into the first and second portions is based on at least biographical information 116 and handshake information 122. Handshake information 122 includes a timestamp of a time at which a handshake occurred between computer 102 and mobile device 104, where the handshake is required to initiate a transmission of data between computer 102 and mobile device 104 as part of an electronic transaction between a user utilizing mobile device 104 and an enterprise or another user utilizing computer 102, and where the data is needed for a query for an identity authentication.
  • Identity authentication tool 108 receives a portion of another QR code that specifies a biometric identifier that is a response to one of the requests for biometric identifiers 112 or an answer to a security question that is a response to one of the security questions 114. The received portion is described below in the discussion of a portion of a QR code generated by mobile device 104.
  • Mobile device 104 executes a software-based identity authentication tool 158, which accesses a data repository 160 that includes requests for biometric identifiers 162, security questions 164, and biographical information 166 about a user of mobile device 104, who is participating in an electronic transaction with an enterprise or other user that utilizes computer 102. The requests for biometric identifiers 162 are included in the requests for the biometric identifiers 112 stored in data repository 110. Security questions 164 are the one or more security questions corresponding to the user of mobile device 104 (i.e., selected by the user or for the user by the enterprise that utilizes computer 102), which are included in security questions 114 stored in data repository 110. The requests for biometric identifiers 162 and security questions 164 are encrypted by a cryptographic hash function (e.g., the MD5 algorithm). Biographical information 166 is the biographical information corresponding to the user of mobile device 104, which is included in biographical information 116 and includes, for example, the date of birth or social security number of the user of mobile device 104.
  • Identity authentication tool 158 receives handshake information 122 and portion 120 of QR code 118 and applies an assembly algorithm (not shown) to reassemble QR code 118 from portion 120 by utilizing biographical information 166 and handshake information 122, which includes the timestamp of the handshake between computer 102 and mobile device 104 for the transmission of portion 120 from computer 102 to mobile device 104. From the reassembled QR code 118, identity authentication tool 158 determines the request for biometric identifier included in requests for biometric identifiers 162 or the security question included in security questions 164.
  • Identity authentication tool 158 generates a QR code 168 that specifies (1) one of the biometric identifiers 112 which is a user-provided response to one of the requests for biometric identifiers 162, or (2) one of the answers to security questions 114, which is a user-provided response to one of the security questions 164. Identity authentication tool 158 generates a portion 170 of QR code 168 by applying the aforementioned disassembly algorithm (not shown) to disassemble QR code 168 based on at least biographical information 166 and handshake information 172. Handshake information 172 includes a timestamp of a time at which a handshake occurred between computer 102 and mobile device 104, where the handshake is required to initiate a transmission of data between computer 102 and mobile device 104 as part of an electronic transaction between a user utilizing mobile device 104 and an enterprise or another user utilizing computer 102, and where the data is an authenticator (e.g., fingerprint or answer to a security question) provided by a user as a response to a query for an identity authentication.
  • Identity authentication tool 158 sends portion 170 of QR code 168. Identity authentication tool 108 receives handshake information 172, receives portion 170, and applies an assembly algorithm (not shown) to reassemble QR code 168 from portion 170 by utilizing biographical information 116 and handshake information 172, which includes the timestamp of the handshake between computer 102 and mobile device 104 for the transmission of portion 170 from mobile device 104 to computer 102. From the reassembled QR code 168, identity authentication tool 108 determines the biometric identifier included in biometric identifiers 112 or the answer to the security question included in answers to security questions 114.
  • In one embodiment, one or more computers (not shown) other than mobile device 104 are in communication with computer 102 via network 106. Each of the one or more computers includes the components that are included in mobile device 104.
  • In an alternative embodiment, system 100 includes a second computer in communication with computer 102 via network 106, where the second computer is not a mobile device and replaces mobile device 104 in FIG. 1, and where the second computer includes the components shown in FIG. 1 which are included in mobile device 104.
  • In one embodiment, mobile device 104 is coupled to a device (not shown) that reads or scans a biometric identifier of the user of mobile device 104. For example, mobile device 104 is coupled to a fingerprint reader.
  • The functionality of the components of FIG. 1 is described in more detail in the discussions presented below relative to FIGS. 2A-2C and FIG. 3.
  • Process for Secure Authentication of an Identity in an Electronic Transaction
  • FIGS. 2A-2C depict a flowchart of a process of authenticating an identity of a user participating in an electronic transaction with an enterprise, where the process is implemented in the system of FIG. 1, in accordance with embodiments of the present invention. The process of FIGS. 2A-2C begins at step 200 in FIG. 2A. In step 202, identity authentication tool 108 (see FIG. 1) receives a request from the mobile device 104 (see FIG. 1) of a user to initiate an electronic transaction between computer 102 (see FIG. 1) and mobile device 104 (see FIG. 1).
  • In step 204, identity authentication tool 108 (see FIG. 1) and identity authentication tool 158 (see FIG. 1) receive handshake information 122 which specifies attributes of the request to initiate the electronic transaction, including a timestamp of a handshake between computer 102 (see FIG. 1) and mobile device 104 (see FIG. 1), which is required to initiate and authenticate the electronic transaction. In step 204, identity authentication tool 108 (see FIG. 1) also receives attributes of the user, including biographical information of the user. Identity authentication tool 108 (see FIG. 1) retrieves the biographical information of the user from biographical information 116 (see FIG. 1).
  • In one embodiment, subsequent to step 202 and prior to step 206, identity authentication tool 108 (see FIG. 1) determines the requested electronic transaction is a financial transaction for a monetary amount that exceeds a threshold amount that was received by identity authentication tool 108 (see FIG. 1) prior to step 202. Based on the financial transaction being for a monetary amount that exceeds the threshold amount, identity authentication tool 108 (see FIG. 1) performs step 206, which is described below.
  • In step 206, identity authentication tool 108 (see FIG. 1) selects an authenticator to authenticate the identity of the user in order to authorize the electronic transaction. The authenticator is a request for a biometric identifier selected from requests for biometric identifiers 112 (see FIG. 1) or a security question selected from security questions 114 (see FIG. 1). In one embodiment, identity authentication tool 108 (see FIG. 1) utilizes a random number generator to randomly select the authenticator.
  • In step 208, identity authentication tool 108 (see FIG. 1) converts the authenticator selected in step 206 to a first complete QR code (i.e., QR code 118 (see FIG. 1)). Identity authentication tool 108 (see FIG. 1) stores the first complete QR code in association with an identifier of the electronic transaction in data repository 110 (see FIG. 1).
  • In step 210, based on information that specifies attributes of the request received in step 202, which includes handshake information 122 (see FIG. 1), and based on information that specifies attributes of the user (i.e., biographical information of the user included in biographical information 116 (see FIG. 1)), identity authentication tool 108 (see FIG. 1) disassembles the first complete QR code into a first portion (i.e., portion 120 (see FIG. 1)) selected and designated by a disassembly algorithm and into a second portion, where the first and second portions do not have any elements in common. The first portion is, for example, a defined shape included within the complete QR code. The second portion includes all parts of the complete QR code that were not selected by the disassembly algorithm as the first portion (i.e., the part of the complete QR code that was not designated as the first portion). The disassembly algorithm selects the first portion based at least in part on the timestamp of the handshake between computer 102 (see FIG. 1) and mobile device 104 (see FIG. 1) included in handshake information 122 (see FIG. 1).
  • In step 212, identity authentication tool 108 (see FIG. 1) sends the first portion of the first complete QR code, but not the second portion or any part of the second portion, to mobile device 104 (see FIG. 1). By sending only the first portion, system 100 (see FIG. 1) prevents an attacker or other malicious entity from obtaining the request for the biometric identifier or the security question selected in step 206 by intercepting and/or capturing data traffic of network 106, where the traffic includes transmissions of data for the electronic transaction between computer 102 (see FIG. 1) and mobile device 104 (see FIG. 1). The aforementioned attacker or other malicious entity is an entity other than the user utilizing mobile device 104 (see FIG. 1) and the enterprise or other user utilizing computer 102 (see FIG. 1), and is an entity who does not have permission to intercept the data traffic that includes the electronic transaction.
  • In step 214, mobile device 104 (see FIG. 1) receives and scans the first portion of the first complete QR code.
  • In step 216, based on information that specifies attributes of the request received in step 202, which includes handshake information 122 (see FIG. 1), and based on information that specifies attributes of the user (i.e., biographical information of the user included in biographical information 166 (see FIG. 1)), identity authentication tool 158 (see FIG. 1) reassembles the first complete QR code from the first portion (i.e., portion 120 (see FIG. 1)) by employing an assembly algorithm.
  • In one embodiment, identity authentication tool 158 (see FIG. 1) employing the assembly algorithm (1) generates multiple initial potential QR codes that specify requests for biometric identifiers 162 (see FIG. 1) or security questions 164 (see FIG. 1); (2) deletes portions of the respective initial potential QR codes by employing the disassembly algorithm and the information that specifies the attributes of the user and the request received in step 202, where each of the deleted portions matches a shape of the first portion of the first complete QR code; (3) generates new potential QR codes by filling in the deleted portions with the first portion of the first complete QR code; (4) determines that one of the new potential QR codes matches one of the initial potential QR codes; and (5) based on the one new potential QR code matching one of the initial potential QR codes, determines the one new potential QR code is a reassembly of the first complete QR code.
  • In another embodiment, QR codes of the requests for biometric identifiers 162 and security questions 164 are stored in data repository 160. Identity authentication tool 158 (see FIG. 1) employing the assembly algorithm (1) retrieves from data repository 160 multiple potential QR codes that specify requests for biometric identifiers 162 (see FIG. 1) or security questions 164 (see FIG. 1); (2) obtains portions of the respective potential QR codes by employing the disassembly algorithm and the information received in step 204 that specifies the attributes of the user and the request received in step 202, where each of the obtained portions matches a shape of the first portion of the first complete QR code; (3) attempts to match the first portion to the obtained portions until a match is identified; and (4) in response to identifying a match, identify the potential QR code that included the obtained portion that matches the first portion and designate the identified potential QR code as the reassembly of the first complete QR code.
  • In step 218 in FIG. 2B, based on the first complete QR code reassembled in step 216 (see FIG. 2A), identity authentication tool 158 (see FIG. 1) determines and displays the request for the biometric identifier or the security question specified by the reassembled first complete QR code.
  • In step 220, identity authentication tool 158 (see FIG. 1) receives from the user the requested biometric identifier specified by the first complete QR code or an answer to the security question specified by the first complete QR code.
  • In step 222, identity authentication tool 158 (see FIG. 1) converts the biometric identifier or answer to the security question received in step 220 into a second complete QR code (i.e., QR code 168 (see FIG. 1)), which is different from the aforementioned first complete QR code.
  • Prior to step 224, identity authentication tool 158 (see FIG. 1) initiates a response to complete the authentication of the identity of the user, where the response is a user-provided answer to the authentication request that was determined in step 218. The initiation of the response to complete the authentication requires a handshake between mobile device 104 (see FIG. 1) and computer 102 (see FIG. 1), which is completed, with the resulting handshake information 172 (see FIG. 1) being received by identity authentication tool 158 (see FIG. 1) and identity authentication tool 108 (see FIG. 1). Handshake information 172 includes a timestamp of the handshake required to initiate the response to complete the authentication.
  • In step 224, information that specifies attributes of the response to complete the authentication of the identity of the user (i.e., handshake information 172, including the aforementioned timestamp of the handshake) and based on information that specifies attributes of the user (i.e., biographical information of the user retrieved from biographical information 166 (see FIG. 1)), identity authentication tool 158 (see FIG. 1) disassembles the second complete QR code into a first portion (i.e., portion 170 (see FIG. 1)) selected and designated by the disassembly algorithm and into a second portion, where the first and second portions do not have any elements in common. The first portion 170 (see FIG. 1) is, for example, a defined shape included within the second complete QR code. The second portion of the second complete QR code includes all parts of the second complete QR code that were not selected by the disassembly algorithm as the first portion (i.e., the part of the second complete QR code that was not designated as the first portion). The disassembly algorithm selects the first portion of the second complete QR code based at least in part on the timestamp of the aforementioned handshake between computer 102 (see FIG. 1) and mobile device 104 (see FIG. 1) included in handshake information 172 (see FIG. 1).
  • In step 226, identity authentication tool 158 (see FIG. 1) sends to computer 102 (see FIG. 1) the first portion of the second complete QR code as a response to the authentication request determined in step 218, but does not send the second portion or any part of the second portion of the second complete QR code. By sending only the first portion of the second complete QR code, system 100 (see FIG. 1) prevents an attacker or other malicious entity from obtaining the biometric identifier or the answer to the security question received in step 220 by intercepting and/or capturing data traffic of network 106, where the traffic includes transmissions of data for the electronic transaction between computer 102 (see FIG. 1) and mobile device 104 (see FIG. 1), and prevents a subsequent usage of the intercepted or captured biometric identifier or answer to the security question in a fraudulent transaction.
  • In step 228 in FIG. 2C, based on information that specifies attributes of the response sent in step 226 (see FIG. 2B), which includes the timestamp included in handshake information 172 (see FIG. 1), and based on information that specifies attributes of the user (i.e., biographical information of the user included in biographical information 116 (see FIG. 1)), identity authentication tool 108 (see FIG. 1) reassembles the second complete QR code from the first portion (i.e., portion 170 (see FIG. 1)) by employing the assembly algorithm.
  • In one embodiment, identity authentication tool 108 (see FIG. 1) employing the assembly algorithm (1) generates multiple initial potential QR codes that specify biometric identifiers 112 (see FIG. 1) or answers to security questions 114 (see FIG. 1); (2) deletes portions of the respective initial potential QR codes by employing the disassembly algorithm and the information that specifies the attributes of the user and the response send in step 226 (see FIG. 2B), where each of the deleted portions matches a shape of the first portion 170 (see FIG. 1) of the second complete QR code 168 (see FIG. 1); (3) generates new potential QR codes by filling in the deleted portions with the first portion 170 (see FIG. 1) of the second complete QR code 168 (see FIG. 1); (4) determines that one of the new potential QR codes matches one of the initial potential QR codes; and (5) based on the one new potential QR code matching one of the initial potential QR codes, determines the one new potential QR code is a reassembly of the second complete QR code.
  • In another embodiment, QR codes of the biometric identifiers 112 and answers to security questions 114 are stored in data repository 110. Identity authentication tool 108 (see FIG. 1) employing the assembly algorithm (1) retrieves from data repository 110 multiple potential QR codes that specify biometric identifiers 112 (see FIG. 1) or answers to security questions 114 (see FIG. 1); (2) obtains portions of the respective potential QR codes by employing the disassembly algorithm and the information that specifies the attributes of the user and the response sent in step 226 (see FIG. 2B), where each of the obtained portions matches a shape of the first portion of the second complete QR code; (3) attempts to match the first portion of the second complete QR code to the obtained portions until a match is identified; and (4) in response to identifying a match, identify the potential QR code that included the obtained portion that matches the first portion and designate the identified potential QR code as the reassembly of the second complete QR code.
  • In step 230, identity authentication tool 108 (see FIG. 1) extracts the biometric identifier or the answer to the security question from the second complete QR code reassembled in step 228.
  • In step 232, identity authentication tool 108 (see FIG. 1) determines whether the biometric identifier or answer to the security question extracted in step 230 matches a record in data repository 110 (see FIG. 1). If identity authentication tool 108 (see FIG. 1) determines in step 232 that the extracted biometric identifier or extracted answer matches a record in data repository 110 (see FIG. 1), then the Yes branch of step 232 is taken and step 234 is performed.
  • In step 234, identity authentication tool 108 (see FIG. 1) authenticates the identity of the user and mobile device 104 (see FIG. 1) receives an authorization from computer 102 (see FIG. 1) for the electronic transaction to proceed.
  • Returning to step 232, if identity authentication tool 108 (see FIG. 1) determines that the extracted biometric identifier or the extracted answer does not match any record in data repository 110 (see FIG. 1), then the No branch of step 232 is taken and step 236 is performed.
  • In step 236, identity authentication tool 108 (see FIG. 1) indicates that the identity of the user is not authenticated and mobile device 104 (see FIG. 1) receives from computer 102 (see FIG. 1) an indication that the electronic transaction is not authorized to proceed.
  • The process of FIGS. 2A-2C ends at step 238, which follows step 234 and step 236.
  • Computer System
  • FIG. 3 is a block diagram of a computer or mobile device that is included in the system of FIG. 1 and that implements the process of FIGS. 2A-2C, in accordance with embodiments of the present invention. Computer 300 is a computer system or mobile device that generally includes a central processing unit (CPU) 302, a memory 304, an input/output (I/O) interface 306, and a bus 308. Further, computer 300 is coupled to I/O devices 310 and a computer data storage unit 312. In one embodiment, computer 300 is computer 102 (see FIG. 1). In one embodiment, computer 300 is mobile device 104 (see FIG. 1). CPU 302 performs computation and control functions of computer 300, including carrying out instructions included in program code 314 to perform a method of securely authenticating an identity of a user participating in an electronic transaction, where the instructions are carried out by CPU 302 via memory 304. CPU 302 may include a single processing unit, or be distributed across one or more processing units in one or more locations (e.g., on a client and server). Program code 314 includes program code for the software-based components of computer 300, such as identity authentication tool 108 (see FIG. 1) or identity authentication tool 158 (see FIG. 1).
  • Memory 304 includes a known computer readable storage medium, which is described below. In one embodiment, cache memory elements of memory 304 provide temporary storage of at least some program code (e.g., program code 314) in order to reduce the number of times code must be retrieved from bulk storage while instructions of the program code are carried out. Moreover, similar to CPU 302, memory 304 may reside at a single physical location, including one or more types of data storage, or be distributed across a plurality of physical systems in various forms. Further, memory 304 can include data distributed across, for example, a local area network (LAN) or a wide area network (WAN).
  • I/O interface 306 includes any system for exchanging information to or from an external source. I/O devices 310 include any known type of external device, including a display device, keyboard, etc. Bus 308 provides a communication link between each of the components in computer 300, and may include any type of transmission link, including electrical, optical, wireless, etc.
  • I/O interface 306 also allows computer 300 to store information (e.g., data or program instructions such as program code 314) on and retrieve the information from computer data storage unit 312 or another computer data storage unit (not shown). Computer data storage unit 312 includes a known computer-readable storage medium, which is described below. In one embodiment, computer data storage unit 312 is a non-volatile data storage device, such as a magnetic disk drive (i.e., hard disk drive) or an optical disc drive (e.g., a CD-ROM drive which receives a CD-ROM disk).
  • Memory 304 and/or storage unit 312 may store computer program code 314 that includes instructions that are carried out by CPU 302 via memory 304 to securely authenticate an identity of a user participating in an electronic transaction. Although FIG. 3 depicts memory 304 as including program code 314, the present invention includes embodiments in which memory 304 does not include all of code 314 simultaneously, but instead at one time includes only a portion of code 314.
  • Further, memory 304 includes an operating system (not shown) and may include other systems not shown in FIG. 3.
  • Storage unit 312 and/or one or more other computer data storage units (not shown) that are coupled to computer 300 may include data repository 110 (see FIG. 1) or data repository 160 (see FIG. 1).
  • As will be appreciated by one skilled in the art, in a first embodiment, the present invention may be a system; in a second embodiment, the present invention may be a method; and in a third embodiment, the present invention may be a computer program product.
  • Any of the components of an embodiment of the present invention can be deployed, managed, serviced, etc. by a service provider that offers to deploy or integrate computing infrastructure with respect to securely authenticating an identity of a user participating in an electronic transaction. Thus, an embodiment of the present invention discloses a process for supporting computer infrastructure, where the process includes providing at least one support service for at least one of integrating, hosting, maintaining and deploying computer-readable code (e.g., program code 314) in a computer system (e.g., computer 300) including one or more processors (e.g., CPU 302), wherein the processor(s) carry out instructions contained in the code causing the computer system to securely authenticate an identity of a user participating in an electronic transaction. Another embodiment discloses a process for supporting computer infrastructure, where the process includes integrating computer-readable program code into a computer system including a processor. The step of integrating includes storing the program code in a computer-readable storage device of the computer system through use of the processor. The program code, upon being executed by the processor, implements a method of securely authenticating an identity of a user participating in an electronic transaction.
  • While it is understood that program code 314 for securely authenticating an identity of a user participating in an electronic transaction may be deployed by manually loading directly in client, server and proxy computers (not shown) via loading a computer-readable storage medium (e.g., computer data storage unit 312), program code 314 may also be automatically or semi-automatically deployed into computer 300 by sending program code 314 to a central server or a group of central servers. Program code 314 is then downloaded into client computers (e.g., computer 300) that will execute program code 314. Alternatively, program code 314 is sent directly to the client computer via e-mail. Program code 314 is then either detached to a directory on the client computer or loaded into a directory on the client computer by a button on the e-mail that executes a program that detaches program code 314 into a directory. Another alternative is to send program code 314 directly to a directory on the client computer hard drive. In a case in which there are proxy servers, the process selects the proxy server code, determines on which computers to place the proxy servers' code, transmits the proxy server code, and then installs the proxy server code on the proxy computer. Program code 314 is transmitted to the proxy server and then it is stored on the proxy server.
  • Another embodiment of the invention provides a method that performs the process steps on a subscription, advertising and/or fee basis. That is, a service provider, such as a Solution Integrator, can offer to create, maintain, support, etc. a process of securely authenticating an identity of a user participating in an electronic transaction. In this case, the service provider can create, maintain, support, etc. a computer infrastructure that performs the process steps for one or more customers. In return, the service provider can receive payment from the customer(s) under a subscription and/or fee agreement, and/or the service provider can receive payment from the sale of advertising content to one or more third parties.
  • The present invention may be a system, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) (memory 304 and computer data storage unit 312) having computer readable program instructions 314 thereon for causing a processor (e.g., CPU 302) to carry out aspects of the present invention.
  • The computer readable storage medium (i.e., computer readable storage device) can be a tangible device that can retain and store instructions (e.g., program code 314) for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium and a computer readable storage device, as used herein, are not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.
  • Computer readable program instructions (e.g., program code 314) described herein can be downloaded to respective computing/processing devices (e.g., computer 300) from a computer readable storage medium or to an external computer or external storage device (e.g., computer data storage unit 312) via a network (not shown), for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card (not shown) or network interface (not shown) in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.
  • Computer readable program instructions (e.g., program code 314) for carrying out operations of the present invention may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++ or the like, and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.
  • Aspects of the present invention are described herein with reference to flowchart illustrations (e.g., FIG. 2 and FIGS. 3A-3B) and/or block diagrams (e.g., FIG. 1 and FIG. 3) of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions (e.g., program code 314).
  • These computer readable program instructions may be provided to a processor (e.g., CPU 302) of a general purpose computer, special purpose computer, or other programmable data processing apparatus (e.g., computer 300) to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium (e.g., computer data storage unit 312) that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.
  • The computer readable program instructions (e.g., program code 314) may also be loaded onto a computer (e.g. computer 300), other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • In one embodiment, memory 304 is ROM and computer 300 is a special purpose computer, where the ROM includes instructions of program code 314 that are executed by CPU 302 via ROM 304 to securely authenticate an identity of a user participating in an electronic transaction.
  • The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.
  • While embodiments of the present invention have been described herein for purposes of illustration, many modifications and changes will become apparent to those skilled in the art. Accordingly, the appended claims are intended to encompass all such modifications and changes as fall within the true spirit and scope of this invention.

Claims (20)

What is claimed is:
1. A method of securely authenticating an identity of a user participating in an electronic transaction with an enterprise, the method comprising the steps of:
a computer receiving a request from a mobile device of the user to initiate the electronic transaction and receiving information that specifies attributes of the user and the request;
the computer selecting a request for a biometric identifier or a security question to authenticate the identity of the user;
the computer converting the selected request for the biometric identifier or the security question to a first complete Quick Response (QR) code;
based on the information that specifies the attributes of the user and the request, the computer disassembling the first complete QR code into first and second portions of the first complete QR code, the first portion of the first complete QR code selected by a QR code disassembly algorithm, and the first and second portions of the first complete QR code not having an element in common; and
the computer sending to the mobile device the first portion of the first complete QR code, but not the second portion of the first complete QR code, which prevents an entity other than the user and the enterprise from obtaining the request for the biometric identifier or the security question by capturing network traffic that includes the electronic transaction.
2. The method of claim 1, further comprising in response to a scan of the first portion of the first complete QR code by the mobile device, a reassembly of the first complete QR code by the mobile device which employs the first portion of the first complete QR code and a QR code assembly algorithm, a display by the mobile device of the request for the biometric identifier or the security question, a receipt by the mobile device of the biometric identifier or an answer to the security question, a conversion of the biometric identifier or the answer to the security question to a second complete QR code, a disassembly of the second complete QR code into first and second portions of the second complete QR code by employing the QR code disassembly algorithm, and a transmission of the first portion of the second complete QR code from the mobile device to the computer, the computer reassembling the second complete QR code by employing the QR code assembly algorithm and the first portion of the second complete QR code, which prevents the entity other than the user and the enterprise from obtaining the biometric identifier or the answer to the security question by capturing the network traffic that includes the electronic transaction.
3. The method of claim 2, further comprising:
the computer extracting the biometric identifier or the answer to the security question from the second complete QR code;
the computer determining whether the extracted biometric identifier or the answer to the security question matches a record in a data repository that includes biometric identifiers or answers to security questions; and
if the extracted biometric identifier or the extracted answer to the security question matches the record in the data repository, the computer authorizing the electronic transaction or if the extracted biometric identifier or the extracted answer to the security question does not match any record in the data repository, the computer indicating the electronic transaction is not authorized.
4. The method of claim 2, wherein the reassembly of the first complete QR code by the mobile device is performed in response to:
the mobile device generating a plurality of initial potential QR codes of a plurality of requests for biometric identifiers or a plurality of security questions;
the mobile device deleting portions of the respective initial potential QR codes by employing the QR code disassembly algorithm and the information that specifies the attributes of the user and the request, each of the deleted portions matching a shape of the first portion of the first complete QR code;
the mobile device generating new potential QR codes by filling in the deleted portions with the first portion of the first complete QR code;
the mobile device determining that one of the new potential QR codes matches one of the initial potential QR codes in the plurality of initial potential QR codes; and
based on the one new potential QR code matching one of the initial potential QR codes, the mobile device determining the one new potential QR code is the reassembly of the first complete QR code.
5. The method of claim 2, wherein the step of reassembling the second complete QR code by employing the QR code assembly algorithm and the first portion of the second complete QR code includes:
the computer generating a plurality of initial potential QR codes of a plurality of biometric identifiers or a plurality of answers to the security questions;
the computer deleting portions of the respective initial potential QR codes by employing the QR code disassembly algorithm and information that specifies the attributes of the user and the transmission of the first portion of the second complete QR code, each of the deleted portions matching a shape of the first portion of the second complete QR code;
the computer generating new potential QR codes by filling in the deleted portions with the first portion of the second complete QR code;
the computer determining that one of the new potential QR codes matches one of the initial potential QR codes in the plurality of initial potential QR codes; and
based on the one new potential QR code matching one of the initial potential QR codes, the mobile device determining the one new potential QR code is a reassembly of the second complete QR code.
6. The method of claim 1, wherein the step of receiving the information that specifies the attributes of the user and the request includes the computer completing a handshake with the mobile device and recording a timestamp of the handshake, wherein the information that specifies the attributes of the request includes the timestamp, and
wherein the step of disassembling the first complete QR code into the first and second portions of the first complete QR code includes selecting the first portion of the first complete QR code based at least in part on the recorded timestamp.
7. The method of claim 1, further comprising:
prior to any transaction between the user and the enterprise, the computer storing a plurality of security questions, receiving from the user and storing a plurality of biometric identifiers of the user or a plurality of answers to the security questions, and generating and storing a plurality of requests for the biometric identifiers;
subsequent to the step of receiving the request to initiate the electronic transaction, the computer determining the electronic transaction is a banking transaction for an amount of money that exceeds a threshold amount; and
based on the banking transaction being for an amount of money exceeding the threshold amount, the computer utilizing a random number generator which randomly selects the request for the biometric identifier from the plurality of requests for the biometric identifiers or the security question from the plurality of security questions.
8. The method of claim 1, further comprising the step of:
providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable program code in the computer, the program code being executed by a processor in the computer to implement the steps of receiving the information, selecting the request, converting the selected request, disassembling the first complete QR code, and sending the first portion of the first complete QR code.
9. A computer program product, comprising:
a computer-readable storage device; and
a computer-readable program code stored in the computer-readable storage device, the computer-readable program code containing instructions that are executed by a central processing unit (CPU) of a computer system to implement a method of securely authenticating an identity of a user participating in an electronic transaction with an enterprise, the method comprising the steps of:
the computer system receiving a request from a mobile device of the user to initiate the electronic transaction and receiving information that specifies attributes of the user and the request;
the computer system selecting a request for a biometric identifier or a security question to authenticate the identity of the user;
the computer system converting the selected request for the biometric identifier or the security question to a first complete Quick Response (QR) code;
based on the information that specifies the attributes of the user and the request, the computer system disassembling the first complete QR code into first and second portions of the first complete QR code, the first portion of the first complete QR code selected by a QR code disassembly algorithm, and the first and second portions of the first complete QR code not having an element in common; and
the computer system sending to the mobile device the first portion of the first complete QR code, but not the second portion of the first complete QR code, which prevents an entity other than the user and the enterprise from obtaining the request for the biometric identifier or the security question by capturing network traffic that includes the electronic transaction.
10. The computer program product of claim 9, wherein the method further comprises in response to a scan of the first portion of the first complete QR code by the mobile device, a reassembly of the first complete QR code by the mobile device which employs the first portion of the first complete QR code and a QR code assembly algorithm, a display by the mobile device of the request for the biometric identifier or the security question, a receipt by the mobile device of the biometric identifier or an answer to the security question, a conversion of the biometric identifier or the answer to the security question to a second complete QR code, a disassembly of the second complete QR code into first and second portions of the second complete QR code by employing the QR code disassembly algorithm, and a transmission of the first portion of the second complete QR code from the mobile device to the computer system, the computer system reassembling the second complete QR code by employing the QR code assembly algorithm and the first portion of the second complete QR code, which prevents the entity other than the user and the enterprise from obtaining the biometric identifier or the answer to the security question by capturing the network traffic that includes the electronic transaction.
11. The computer program product of claim 10, wherein the method further comprises:
the computer system extracting the biometric identifier or the answer to the security question from the second complete QR code;
the computer system determining whether the extracted biometric identifier or the answer to the security question matches a record in a data repository that includes biometric identifiers or answers to security questions; and
if the extracted biometric identifier or the extracted answer to the security question matches the record in the data repository, the computer system authorizing the electronic transaction or if the extracted biometric identifier or the extracted answer to the security question does not match any record in the data repository, the computer system indicating the electronic transaction is not authorized.
12. The computer program product of claim 10, wherein the reassembly of the first complete QR code by the mobile device is performed in response to:
the mobile device generating a plurality of initial potential QR codes of a plurality of requests for biometric identifiers or a plurality of security questions;
the mobile device deleting portions of the respective initial potential QR codes by employing the QR code disassembly algorithm and the information that specifies the attributes of the user and the request, each of the deleted portions matching a shape of the first portion of the first complete QR code;
the mobile device generating new potential QR codes by filling in the deleted portions with the first portion of the first complete QR code;
the mobile device determining that one of the new potential QR codes matches one of the initial potential QR codes in the plurality of initial potential QR codes; and
based on the one new potential QR code matching one of the initial potential QR codes, the mobile device determining the one new potential QR code is the reassembly of the first complete QR code.
13. The computer program product of claim 10, wherein the step of reassembling the second complete QR code by employing the QR code assembly algorithm and the first portion of the second complete QR code includes:
the computer system generating a plurality of initial potential QR codes of a plurality of biometric identifiers or a plurality of answers to the security questions;
the computer system deleting portions of the respective initial potential QR codes by employing the QR code disassembly algorithm and information that specifies the attributes of the user and the transmission of the first portion of the second complete QR code, each of the deleted portions matching a shape of the first portion of the second complete QR code;
the computer system generating new potential QR codes by filling in the deleted portions with the first portion of the second complete QR code;
the computer system determining that one of the new potential QR codes matches one of the initial potential QR codes in the plurality of initial potential QR codes; and
based on the one new potential QR code matching one of the initial potential QR codes, the mobile device determining the one new potential QR code is a reassembly of the second complete QR code.
14. The computer program product of claim 9, wherein the step of receiving the information that specifies attributes of the user and the request includes the computer system completing a handshake with the mobile device and recording a timestamp of the handshake, wherein the information that specifies the attributes of the request includes the timestamp, and
wherein the step of disassembling the first complete QR code into the first and second portions of the first complete QR code includes selecting the first portion of the first complete QR code based at least in part on the recorded timestamp.
15. The computer program product of claim 9, wherein the method further comprises:
prior to any transaction between the user and the enterprise, the computer system storing a plurality of security questions, receiving from the user and storing a plurality of biometric identifiers of the user or a plurality of answers to the security questions, and generating and storing a plurality of requests for the biometric identifiers;
subsequent to the step of receiving the request to initiate the electronic transaction, the computer system determining the electronic transaction is a banking transaction for an amount of money that exceeds a threshold amount; and
based on the banking transaction being for an amount of money exceeding the threshold amount, the computer system utilizing a random number generator which randomly selects the request for the biometric identifier from the plurality of requests for the biometric identifiers or the security question from the plurality of security questions.
16. A method of securely authenticating an identity of a user participating in an electronic transaction with an enterprise, the method comprising the steps of:
a mobile device of the user sending a request to a server computer of the enterprise to initiate the electronic transaction and receiving information that specifies attributes of the user and the request to initiate the electronic transaction; and
in response to a selection of a request for a biometric identifier or a security question to authenticate the identity of the user, a conversion of the selected request for the biometric identifier or the security question to a first complete Quick Response (QR) code, a disassembly of the first complete QR code into first and second portions of the first complete QR code by a QR code disassembly algorithm based on the information that specifies the attributes of the user and the request to initiate the electronic transaction, the first and second portions of the first complete QR code not having an element in common, the mobile device receiving from the server computer the first portion of the first complete QR code, but not the second portion of the first complete QR code, which prevents an entity other than the user and the enterprise from obtaining the request for the biometric identifier or the security question by capturing network traffic that includes the electronic transaction.
17. The method of claim 16, further comprising:
the mobile device scanning the first portion of the first complete QR code;
the mobile device reassembling the first complete QR code by employing a QR code assembly algorithm based on the first portion of the first complete QR code and the information that specifies the attributes of the user and the request to initiate the electronic transaction;
based on the reassembled first complete QR code, the mobile device displaying the request for the biometric identifier or the security question;
the mobile device receiving from the user the biometric identifier or an answer to the security question;
the mobile device converting the biometric identifier or the answer to the security question to a second complete QR code;
the mobile device disassembling the second complete QR code into first and second portions of the second complete QR code by employing the QR code disassembly algorithm based on the information that specifies the attributes of the user and information that specifies attributes of a request to complete an authentication of the identity of the user;
the mobile device sending the first portion of the second complete QR code to the server computer; and
in response to a reassembly by the server computer of the second complete QR code by employing the QR code assembly algorithm based on the first portion of the second complete QR code, the information that specifies the attributes of the user, and the information that specifies the attributes of the request to complete the authentication, which prevents the entity other than the user and the enterprise from obtaining the biometric identifier or the answer to the security question by capturing the network traffic that includes the electronic transaction, an extraction by the server computer of the biometric identifier or the answer to the security question from the second complete QR code, a determination of whether the extracted biometric identifier or the answer to the security question matches a record in a data repository that includes biometric identifiers or answers to security questions, and if the extracted biometric identifier or the extracted answer to the security question matches the record in the data repository, the mobile device receiving an indication that the identity of the user is authorized or if the extracted biometric identifier or the extracted answer to the security question does not match any record in the data repository, the mobile device receiving an indication that the identity of the user is not authorized.
18. The method of claim 17, wherein the step of reassembling the first complete QR code is performed in response to:
the mobile device generating a plurality of initial potential QR codes of a plurality of requests for biometric identifiers or a plurality of security questions;
the mobile device deleting portions of the respective initial potential QR codes by employing the QR code disassembly algorithm and the information that specifies the attributes of the user and the request for the biometric identifier or the security question, each of the deleted portions matching a shape of the first portion of the first complete QR code;
the mobile device generating new potential QR codes by filling in the deleted portions with the first portion of the first complete QR code;
the mobile device determining that one of the new potential QR codes matches one of the initial potential QR codes in the plurality of initial potential QR codes; and
based on the one new potential QR code matching one of the initial potential QR codes, the mobile device determining the one new potential QR code is the reassembly of the first complete QR code.
19. The method of claim 16, wherein the step of receiving the information that specifies attributes of the user and the request to initiate the electronic transaction includes the mobile device completing a handshake with the server computer and recording a timestamp of the handshake, wherein the information that specifies the attributes of the request to initiate the electronic transaction includes the timestamp, and
wherein the step of reassembling the first complete QR code by employing the QR code assembly algorithm based on the first portion of the first complete QR code includes selecting the first portion of the first complete QR code based at least in part on the recorded timestamp.
20. The method of claim 16, further comprising the step of:
providing at least one support service for at least one of creating, integrating, hosting, maintaining, and deploying computer-readable program code in the computer, the program code being executed by a processor in the computer to implement the steps of sending the request to initiate the electronic transaction, receiving the information that specifies the attributes of the user and the request to initiate the electronic transaction, and receiving the first portion of the first complete QR code.
US14/597,827 2015-01-15 2015-01-15 Secure identity authentication in an electronic transaction Expired - Fee Related US9413757B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/597,827 US9413757B1 (en) 2015-01-15 2015-01-15 Secure identity authentication in an electronic transaction

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
US14/597,827 US9413757B1 (en) 2015-01-15 2015-01-15 Secure identity authentication in an electronic transaction
DE102016100494.4A DE102016100494A1 (en) 2015-01-15 2016-01-13 Secure identity authentication in an electronic transaction
US15/210,262 US9600818B2 (en) 2015-01-15 2016-07-14 Secure identity authentication in an electronic transaction
US15/404,792 US9715686B2 (en) 2015-01-15 2017-01-12 Secure identity authentication in an electronic transaction
US15/609,819 US9892404B2 (en) 2015-01-15 2017-05-31 Secure identity authentication in an electronic transaction

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/210,262 Continuation US9600818B2 (en) 2015-01-15 2016-07-14 Secure identity authentication in an electronic transaction

Publications (2)

Publication Number Publication Date
US20160212126A1 true US20160212126A1 (en) 2016-07-21
US9413757B1 US9413757B1 (en) 2016-08-09

Family

ID=56293901

Family Applications (4)

Application Number Title Priority Date Filing Date
US14/597,827 Expired - Fee Related US9413757B1 (en) 2015-01-15 2015-01-15 Secure identity authentication in an electronic transaction
US15/210,262 Active US9600818B2 (en) 2015-01-15 2016-07-14 Secure identity authentication in an electronic transaction
US15/404,792 Active US9715686B2 (en) 2015-01-15 2017-01-12 Secure identity authentication in an electronic transaction
US15/609,819 Active US9892404B2 (en) 2015-01-15 2017-05-31 Secure identity authentication in an electronic transaction

Family Applications After (3)

Application Number Title Priority Date Filing Date
US15/210,262 Active US9600818B2 (en) 2015-01-15 2016-07-14 Secure identity authentication in an electronic transaction
US15/404,792 Active US9715686B2 (en) 2015-01-15 2017-01-12 Secure identity authentication in an electronic transaction
US15/609,819 Active US9892404B2 (en) 2015-01-15 2017-05-31 Secure identity authentication in an electronic transaction

Country Status (2)

Country Link
US (4) US9413757B1 (en)
DE (1) DE102016100494A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9715686B2 (en) 2015-01-15 2017-07-25 International Business Machines Corporation Secure identity authentication in an electronic transaction
US20170262845A1 (en) * 2015-03-04 2017-09-14 Trusona, Inc. Systems and methods for user identification using graphical barcode and payment card authentication read data
US10313383B2 (en) * 2016-06-01 2019-06-04 Mastercard International Incorporated Systems and methods for use in evaluating vulnerability risks associated with payment applications
US10666642B2 (en) * 2016-02-26 2020-05-26 Ca, Inc. System and method for service assisted mobile pairing of password-less computer login
US10701068B2 (en) * 2015-11-11 2020-06-30 Visa International Service Association Server based biometric authentication
TWI706269B (en) * 2016-10-28 2020-10-01 香港商阿里巴巴集團服務有限公司 Service realization method and device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10078773B1 (en) * 2017-03-15 2018-09-18 Visa International Service Association Machine readable code with portion analysis
US10826415B2 (en) 2018-09-06 2020-11-03 Pratt & Whitney Canada Corp. Operation of a hybrid electric aircraft propulsion system

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7751629B2 (en) * 2004-11-05 2010-07-06 Colorzip Media, Inc. Method and apparatus for decoding mixed code
US8191131B2 (en) * 2006-08-23 2012-05-29 International Business Machines Corporation Obscuring authentication data of remote user
US8272038B2 (en) * 2008-05-19 2012-09-18 International Business Machines Corporation Method and apparatus for secure authorization
CA2760251A1 (en) * 2009-05-19 2010-11-25 Security First Corp. Systems and methods for securing data in the cloud
JP4981938B2 (en) 2010-03-08 2012-07-25 富士フイルム株式会社 Diagnosis support apparatus, coronary artery analysis program, and coronary artery analysis method
WO2011113874A2 (en) * 2010-03-19 2011-09-22 Martin Palzer Concept for communicating between different entities using different data portions for different channels
US8763097B2 (en) 2011-03-11 2014-06-24 Piyush Bhatnagar System, design and process for strong authentication using bidirectional OTP and out-of-band multichannel authentication
US20130054271A1 (en) 2011-08-23 2013-02-28 Jessica Joan Langford Using quick response (qr) code to authenticate, access, and transfer electronic medical record information
US8924712B2 (en) 2011-11-14 2014-12-30 Ca, Inc. Using QR codes for authenticating users to ATMs and other secure machines for cardless transactions
US20130262309A1 (en) 2012-04-02 2013-10-03 Mpayme Ltd. Method and System for Secure Mobile Payment
US20140032345A1 (en) 2012-07-30 2014-01-30 Bank Of America Corporation Authentication Using Transaction Codes on a Mobile Device
KR101451214B1 (en) 2012-09-14 2014-10-15 주식회사 엘지씨엔에스 Payment method, server performing the same, storage media storing the same and system performing the same
WO2014055279A1 (en) 2012-10-01 2014-04-10 Acuity Systems, Inc. Authentication system
US9413757B1 (en) 2015-01-15 2016-08-09 International Business Machines Corporation Secure identity authentication in an electronic transaction

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9715686B2 (en) 2015-01-15 2017-07-25 International Business Machines Corporation Secure identity authentication in an electronic transaction
US9892404B2 (en) 2015-01-15 2018-02-13 International Business Machines Corporation Secure identity authentication in an electronic transaction
US20170262845A1 (en) * 2015-03-04 2017-09-14 Trusona, Inc. Systems and methods for user identification using graphical barcode and payment card authentication read data
US10701068B2 (en) * 2015-11-11 2020-06-30 Visa International Service Association Server based biometric authentication
US10666642B2 (en) * 2016-02-26 2020-05-26 Ca, Inc. System and method for service assisted mobile pairing of password-less computer login
US10313383B2 (en) * 2016-06-01 2019-06-04 Mastercard International Incorporated Systems and methods for use in evaluating vulnerability risks associated with payment applications
TWI706269B (en) * 2016-10-28 2020-10-01 香港商阿里巴巴集團服務有限公司 Service realization method and device

Also Published As

Publication number Publication date
US9892404B2 (en) 2018-02-13
US20170270513A1 (en) 2017-09-21
US9715686B2 (en) 2017-07-25
US9600818B2 (en) 2017-03-21
DE102016100494A1 (en) 2016-07-21
US20160321672A1 (en) 2016-11-03
US20170124553A1 (en) 2017-05-04
US9413757B1 (en) 2016-08-09

Similar Documents

Publication Publication Date Title
US10904002B2 (en) Token security on a communication device
TWI688914B (en) Distributed transaction processing and authentication system
US10248952B2 (en) Automated account provisioning
KR101780636B1 (en) Method for issuing certificate information and blockchain-based server using the same
US10230756B2 (en) Resisting replay attacks efficiently in a permissioned and privacy-preserving blockchain network
US20170249633A1 (en) One-Time Use Password Systems And Methods
US20190347627A1 (en) Systems and method for tracking enterprise events using hybrid public-private blockchain ledgers
US9978094B2 (en) Tokenization revocation list
KR101799343B1 (en) Method for using, revoking certificate information and blockchain-based server using the same
US9123044B2 (en) Generation systems and methods for transaction identifiers having biometric keys associated therewith
RU2710897C2 (en) Methods for safe generation of cryptograms
EP3400696B1 (en) Systems and methods for device push provisioning
US10826702B2 (en) Secure authentication of user and mobile device
EP3175414B1 (en) System and method for authenticating a client to a device
US20180349887A1 (en) Methods, apparatus and computer program products for securely accessing account data
US10832317B1 (en) Systems, methods, and program products for performing deposit sweep transactions
US10498542B2 (en) Electronic identification verification methods and systems with storage of certification records to a side chain
US9407622B2 (en) Methods and apparatus for delegated authentication token retrieval
US9426134B2 (en) Method and systems for the authentication of a user
EP2605567B1 (en) Methods and systems for increasing the security of network-based transactions
US10164996B2 (en) Methods and systems for providing a low value token buffer
US9325708B2 (en) Secure access to data in a device
US10360561B2 (en) System and method for secured communications between a mobile device and a server
US9864983B2 (en) Payment method, payment server performing the same and payment system performing the same
AU2011342282B2 (en) Authenticating transactions using a mobile device identifier

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SADACHARAM, SARAVANAN;VISWANATHAN, RAM;SIGNING DATES FROM 20141220 TO 20141222;REEL/FRAME:034728/0889

STCF Information on status: patent grant

Free format text: PATENTED CASE

FEPP Fee payment procedure

Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

LAPS Lapse for failure to pay maintenance fees

Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Expired due to failure to pay maintenance fee

Effective date: 20200809