WO2012106778A1 - Services de dispositifs de communication mobiles - Google Patents

Services de dispositifs de communication mobiles Download PDF

Info

Publication number
WO2012106778A1
WO2012106778A1 PCT/AU2012/000136 AU2012000136W WO2012106778A1 WO 2012106778 A1 WO2012106778 A1 WO 2012106778A1 AU 2012000136 W AU2012000136 W AU 2012000136W WO 2012106778 A1 WO2012106778 A1 WO 2012106778A1
Authority
WO
WIPO (PCT)
Prior art keywords
code
user
processing system
mobile communication
communication device
Prior art date
Application number
PCT/AU2012/000136
Other languages
English (en)
Inventor
Bernd Ernst UHLMANN
Dmitrijs BELOUSOVS
Øyvind Åmdal ELIASSEN
Serdar NURMAMMEDOV
Original Assignee
Beam Headquarters Pty Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from AU2011900980A external-priority patent/AU2011900980A0/en
Application filed by Beam Headquarters Pty Ltd filed Critical Beam Headquarters Pty Ltd
Publication of WO2012106778A1 publication Critical patent/WO2012106778A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/327Short range or proximity payments by means of M-devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/068Authentication using credential vaults, e.g. password manager applications or one time password [OTP] applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless

Definitions

  • the present invention relates to services available via a mobile communication device.
  • POS Point Of Sale
  • PIN personal identification number
  • authentication of a person to access a restricted area is generally performed using some form of identification device.
  • identification device can include near field communication (NFC) technology via Radio Frequency Identification (RFID) chips, however, other systems utilise other identification technologies and the like. It would be convenient if services could be made available for a mobile communication device to help reduce the need for other dedicated items.
  • NFC near field communication
  • RFID Radio Frequency Identification
  • a server processing system for authenticating a user, wherein the server processing system is configured to:
  • the reader assembly is configured to obtain the device-generated authentication code from the mobile communication device which generates the device-generated authentication code using the base code and the user code;
  • the server processing system in response to authenticating the user, transfers a server request to a third party processing system to perform a service for the user. In certain embodiments, the server processing transfers a service response to the reader assembly indicative of whether the service was successfully performed by the third party processing system.
  • the server processing system is configured to transfer the service response to the mobile communication device.
  • the third party processing system is a payment processing system, wherein the service request is a payment request.
  • the payment request is indicative of:
  • the third party processing system is an access processing system for providing access to a facility, wherein the service request is an access request.
  • the access request is indicative of:
  • the third party processing system is an entitlement recordal system which records ownership of one or more entitlement objects, wherein the server request is an entitlement request to request proof of ownership of one of entitlement objects.
  • the entitlement request is indicative of:
  • the method in response to authenticating the user, includes recording an expiration of the server-generated authentication code in the data store.
  • the server processing system is configured to:
  • the server processing system performs a synchronisation process with the mobile communication device such that the one or more server generated processing codes corresponding to the one or base codes previously selected by the mobile communication device for generating the one or more device-generated authentication codes are recorded in the data store as expired.
  • the server processing system in response to the server processing system determining that the mobile communication device possesses less than the threshold number of base codes, the server processing system generates a sufficient number of base codes for transfer to the mobile communication device, wherein a corresponding sufficient number of server- generated authentication codes are stored in the data store.
  • a server processing system steps of:
  • the reader assembly is configured to obtain the device-generated authentication code from the mobile communication device which generates the device-generated authentication code using the base code and the user code; and authenticating the user in event that the device-generated authentication code corresponds to the server-generated authentication code.
  • a computer program for a server processing system for authenticating a user wherein the computer program includes:
  • code for transferring the base code to the mobile communication device for storage code for receiving an authentication request indicative of a device-generated authentication code from a reader assembly, wherein the reader assembly is configured to obtain the device-generated authentication code from the mobile communication device which generates the device-generated authentication code using the base code and the user code;
  • a mobile communication device for authentication a user of a mobile communication device wherein the mobile communication device is configured to:
  • the mobile communication device is configured to at least one of: generate a graphical indicator indicative of the device-generated authentication code which is scanned by the reader assembly; and
  • the wireless signal is one of:
  • the mobile communication device is configured to record an expiration of the base code in the memory in response to generating the device-generated authentication code.
  • the mobile communication device is configured to store a plurality of base codes in the memory.
  • the server processing system in response to the user being authenticated, requests a service to be performed by a third party processing system, wherein the mobile communication device is configured to receive a service response indicative of whether the service was performed.
  • the user code is obtained via the user operating an input device of the mobile communication device.
  • a computer program for authenticating a user of a mobile communication device wherein the computer program includes:
  • code for receiving a base code from the server processing system code for generating a device-generated authentication code using the base code and the user code;
  • the code for transferring the device-generated authentication code to a reader assembly is configured to perform at least one of:
  • the wireless signal is one of:
  • the computer program includes code for recording an expiration of the base code in the memory in response to generating the device-generated authentication code.
  • the computer program includes code for storing a plurality of base codes in the memory.
  • the server processing system requests a service to be performed by a third party processing system, wherein the computer program includes code for receiving a service response indicative of whether the service was performed.
  • the computer program includes code for obtaining the user code via the user operating an input device of the mobile communication device.
  • a reader assembly configured to obtain the device-generated authentication code from the mobile communication device and transfer an authentication request indicative of the device-generated authentication code to server processing system.
  • the mobile communication device is configured to perform at least one of:
  • the wireless signal is one of:
  • a seventh aspect there is provided a method of authenticating a user, wherein the method includes:
  • the server processing system storing, by the server processing system, the server-generated authentication code; transferring, from the server processing system to the mobile communication device, the base code for storage by the mobile communication device; generating, in the mobile communication device using the base code and the user code, a device-generated authentication code;
  • Figure 1A is a functional block diagram of a processing system for use in particular embodiments
  • Figure IB is a system diagram for authenticating a user of a mobile communication device
  • Figure 1C is a functional block diagram of an example of the mobile communication device
  • Figure ID is a functional block diagram of an example of the server processing system
  • Figure 2 is a flowchart representing a method of authenticating a user of a mobile communication device
  • Figure 3 is a flowchart representing an example of a method of registering with the server processing system for utilising the authentication service for making a payment to another party
  • Figure 4 is a flowchart representing an example of a method of utilising the authentication service for making a payment to another party
  • Figure 5 is a flowchart representing an example method of a user registering with the server processing system to use the authentication service for accessing a facility;
  • Figure 6 is a flowchart representing an example of a method of utilising the authentication service for accessing a facility
  • Figure 7 is a flowchart representing an example method of a user registering with the server processing system to use the authentication service for an electronically recorded entitlement object
  • Figure 8 is a flowchart representing an example of a method of utilising the authentication service for proving ownership of an entitlement object.
  • the processing system 100 generally includes at least one processor 102, or processing unit or plurality of processors, memory 104, at least one input device 106 and at least one output device 108, coupled together via a bus or group of buses 110.
  • input device 106 and output device 108 could be the same device.
  • An interface 112 also can be provided for coupling the processing system 100 to one or more peripheral devices, for example interface 112 could be a PCI card or PC card.
  • At least one storage device 1 14 which houses at least one database 1 16 can also be provided.
  • the memory 104 can be any form of memory device, for example, volatile or non-volatile memory, solid state storage devices, magnetic devices, etc.
  • the processor 102 could include more than one distinct processing device, for example to handle different functions within the processing system 100.
  • Input device 106 receives input data 118 and can include, for example, a keyboard, a pointer device such as a pen-like device or a mouse, audio receiving device for voice controlled activation such as a microphone, data receiver or antenna such as a modem or wireless data adaptor, data acquisition card, etc..
  • Input data 1 18 could come from different sources, for example keyboard instructions in conjunction with data received via a network.
  • Output device 108 produces or generates output data 120 and can include, for example, a display device or monitor in which case output data 120 is visual, a printer in which case output data 120 is printed, a port for example a USB port, a peripheral component adaptor, a data transmitter or antenna such as a modem or wireless network adaptor, etc..
  • Output data 120 could be distinct and derived from different output devices, for example a visual display on a monitor in conjunction with data transmitted to a network. A user could view data output, or an interpretation of the data output, on, for example, a monitor or using a printer.
  • the storage device 1 14 can be any form of data or information storage means, for example, volatile or non-volatile memory, solid state storage devices, magnetic devices, etc..
  • the processing system 100 is adapted to allow data or information to be stored in and/or retrieved from, via wired or wireless communication means, the at least one database 1 16 and or the memory 104.
  • the interface 1 12 may allow wired and/or wireless communication between the processing unit 102 and peripheral components that may serve a specialised purpose.
  • the processor 102 receives instructions as input data 118 via input device 106 and can display processed results or other output to a user by utilising output device 108. More than one input device 106 and or output device 108 can be provided. It should be appreciated that the processing system 100 may be any form of terminal, server, specialised hardware, or the like.
  • the system 150 includes a server processing system 160 providing an authentication service which is in data communication with a mobile communication device 170 operated by a user 179 and a reader assembly 180 generally associated with an entity 185 which requires user authentication from the user 179.
  • the server processing system 160 can also be in data communication with one or more third party service processing systems 190 to perform a service for the user 179 of the mobile communication device 170 in response to successful authentication.
  • the server processing system 160 can be a processing system 100 as described in relation to Figure 1A.
  • the mobile communication device 170 can be a processing system 100 as described in relation to Figure 1A but in a portable state.
  • the mobile communication device 170 can be a mobile telecommunication device such as an iPhone, Blackberry, Google Android enabled mobile phone, or other commercially available mobile communication devices.
  • the mobile communication device 170 can alternatively be a tablet computer such an Apple iPad, Samsung Galaxy Tab, or other commercially available tablet computers.
  • the mobile communication device 170 may include a near field communication (NFC) module in order to allow for near field communication with the reader assembly 180.
  • the reader assembly 180 can include a scanning module, such as a bar code scanner or similar, and/or a near field communication (NFC) module.
  • NFC near field communication
  • the components 160, 170, 180, 180 are generally in data communication via one or more networks including one or more telecommunication or computer networks.
  • the computer network can include a local area network (LAN) or a wide area network (WAN) such as the Internet.
  • LAN local area network
  • WAN wide area network
  • FIG. 1C there is shown a functional block diagram of an example of the mobile communication device 170 for use with embodiments described.
  • the mobile communication device 170 includes a processor 171, memory 172, an input device 173, an output device 174, and data interface 175, optionally a transmitter 176, electrically coupled via a bus 177.
  • the transmitter 176 can be provided in the form of a NFC module.
  • the input device 173 and output device 174 can typically be provided as an integrated device such as a touch screen interface although this is not essential.
  • the memory 172 can include a local database 178.
  • the server processing system 160 includes a processor 161, memory 162, an input device 163, an output device 164, and a data interface 165, electrically coupled via a bus 166.
  • the memory 162 can include a server database 167.
  • FIG. 2 there is shown a flowchart representing an example method 200 performed by the system 150 for authenticating a user 179 of a mobile communication device 170.
  • the method 200 includes the mobile communication device 170 transferring to the server processing system 160 a user code.
  • the user code is provided in the form of a password or personal identification number (PIN) which is a secret code known by the user 179.
  • PIN personal identification number
  • the user is generally able to input the user code using an input device, such as a touch scree, of the mobile communication device 170.
  • the method 200 includes the server processing system 160 randomly generating a base code.
  • the base code is a unique string generally including a plurality of alpha-numeric characters.
  • the method 200 includes the server processing system 160 modifying the base code according to the user code to generate a server-generated authentication code.
  • the method 200 includes using a modification function, such as a cryptographic hashing function stored as executable instructions in the memory of the server processing system 160.
  • the cryptographic hashing function is dependent upon the user code, wherein the output of the application of the cryptographic hashing function (commonly referred to as the 'message digest') is an authentication code which is generated by the server processing system, herein referred to as the server-generated authentication code.
  • the method 200 includes the server processing system 160 storing the server- generated authentication code in a data store.
  • the data store is a server database 167, wherein the server-generated authentication code is stored in association with a record for the user in the database 167.
  • the method 200 includes the server processing system 160 transferring the base code to the mobile communication device 170 for storage.
  • the base code is generally stored in local memory of the mobile communication device 170.
  • the method 200 includes, at step 260, the user 179 operating the mobile communication device 170 to generate an authentication code (herein referred to as the device-generated authentication code) using the base code and the user code.
  • an authentication code herein referred to as the device-generated authentication code
  • executable instructions indicative of the modification function are stored in memory of the mobile communication device 170, wherein the modification function generates the device-generated authentication code based upon the user code and the base code.
  • the method 200 includes the mobile communication device 170 providing the device-generated authentication code to a reader assembly 180.
  • the reader assembly 180 is associated with a party 185 which requires the user to be authenticated.
  • the device-generated authentication code can be provided to the reader assembly 180 via scanning a graphical indicator or via a wireless transmission.
  • the method 200 includes the reader assembly 180 transferring an authentication request to the server processing system 160, wherein the authentication request is indicative of the device-generated authentication code received by the reader assembly 180.
  • the method 200 includes the server processing system 160 comparing the device-generated authentication code against the server-generated authentication code. In the event that the device-generated authentication code corresponds to the server-generated authentication code, the user is authenticated. In the event that the device-generated authentication code does not correspond to the server-generated authentication code, the user is not authenticated.
  • the user downloads a computer program which is installed in the memory of the mobile communication device 170 which is used as an interface for utilising the authentication service.
  • the user Upon installing and launching the computer program, the user is required to provide registration details to the server processing system 160 including a username and passcode.
  • the passcode can be used as the user code discussed above.
  • the username may be stored in non-volatile memory of the mobile communication device 170 for later retrieval.
  • the mobile communication device 170 When the user relaunches the computer program after registration, the mobile communication device 170, controlled by the computer program, establishes a communication link with the server processing system 160. Initially, the server processing system 160 and the mobile communication device 170 undergo a synchronisation process, as will be discussed in further detail later. Once the synchronisation process has been completed, the server processing system 160 determines whether a threshold number of base codes are stored with the mobile communication device 170. For example, the server processing system 160 may have a configurable threshold of '50' set in non- volatile memory.
  • the server processing system 160 In the event that the mobile communication device 170 possesses less than the threshold number of base codes, the server processing system 160 generates a sufficient number of base codes for the mobile communication device 170 which are then transferred to the mobile communication device 170 for storage in non-volatile memory. In order for the server processing system 160 to transfer the newly generated base codes, the server processing system 160 generates the corresponding server-generated authentication codes using the user code and the modification function. The computer program may prompt the user to input via the input device of the mobile communication device 170 the user code which is transferred to the server processing system 160 for generating the server-generated authentication codes. The server processing system 160 stores the server-generated authentication codes in the respective user record.
  • Each server-generated authentication code can be associated with an expiration field, wherein each newly generated authentication code has an expiration field indicative of an unexpired value.
  • server-generated authentication codes can be generated which have a temporal expiration, wherein an expiration deadline is stored in the user record of the server database 167 for particular server-generated authentication codes.
  • the user can launch the computer program upon the mobile communication device 170 in order to utilise the authentication service provided by the server processing system 160.
  • the user is prompted by the computer program to re-input the user code, and optionally username, via the input device of the mobile communication device 170.
  • the mobile communication device 170 selects one of the base codes stored in the non-volatile memory of the mobile communication device 170 for generating the device-generated authentication code.
  • the computer program includes executable instructions which are indicative of the modification algorithm applied by the server processing system 160 to generate the server-generated authentication code.
  • the processor 102 of the mobile communication device 170 applies the modification function using the selected base code and the user code to generate a device-generated authentication code.
  • the expiration field of the respective base code is set having expired in the non-volatile memory by the computer program controlling the mobile communication device 170.
  • a time stamp which the expiration occurred at the mobile communication device 170 can be recorded in association with the respective base code.
  • the device-generated authentication code can then be provided from the mobile communication device 170 to the reader assembly 180 of a party 185 requiring the user to be authenticated.
  • a number of processes can be used to provide the device-generated authentication code to the reader assembly 180.
  • the computer program can include or have access to a graphical indicator generator module which generates a graphical indicator, such as a barcode or the like, which is indicative of the device-generated authentication code.
  • a graphical indicator such as a barcode or the like
  • the graphical indicator is then displayed by the output device of the mobile communication device 170, generally provided in the form of a screen, wherein the reader assembly 180 can scan the screen of the mobile communication device 170 to obtain the graphical indicator which can be interpreted by the reader assembly 180 to obtain the device-generated authentication code.
  • the mobile communication device 170 may include a transmitter which can wirelessly transmit a signal indicative of the device-generated authentication code.
  • the transmitter may be a near field communication module, wherein a near field communication signal is emitted by the mobile communication device 170 and received by and interpreted by a near field communication receiver of the reader assembly 180 to obtain the device-generated authentication code.
  • the mobile communication device 170 may include another type of wireless transmitter such as a Bluetooth module which transmits a Bluetooth signal indicative of the device-generated authentication code which a Bluetooth module of the reader assembly 180 receives and interprets to obtain the device-generated authentication code.
  • the reader assembly 180 can be a reader device including a processing system.
  • the reader assembly 180 can be a processing system in communication with a reader device.
  • the reader assembly 180 generates an authentication request indicative of the received device-generated authentication code which is transferred to the server processing system 160 in order to request authentication of the user.
  • the server processing system 160 queries the server database 167 to determine if a server-generated authentication code corresponding (i.e. matching) to the device-generated authentication code exists in one of the user records which has not expired. In the event that a corresponding server-generated authentication code has been identified, the user is authenticated.
  • expiration field of the corresponding server-generated authentication code is set to expired such that the respective server-generated authentication code cannot be reused in another authentication request.
  • the server processing system 160 can then request a service to be performed on the user's behalf.
  • this authentication process can be performed without the mobile communication device 170 having communicated with the server processing system 170 once authentication is requested by another party. As such, this authentication process can be utilised in instances where the mobile communication device 170 cannot utilise a computer or telecommunication network.
  • a synchronisation process is automatically performed.
  • the database 178 stored in memory of the mobile communication device 170 is synchronised with the user record of the server database 167 of the server processing system 160.
  • the respective base code stored in memory of the mobile communication device 170 will have expired but the corresponding server- generated authentication code in the server database 167 of the server processing system 160 will have an unexpired expiration field.
  • the server processing system 160 requests from the mobile communication device 170 the transfer of the one or more expired base codes and the user code which is input can be input by the user via the input device of the mobile communication device 170.
  • the server processing system 170 then generates the corresponding server-generated authentication codes using the received base codes and the user code in order to identify the server-generated authentication codes stored in the server database 167 which may be unexpired which are subsequently set to expired.
  • the server processing system 160 may then transfer a delete command to the mobile communication device 170 to delete the expired base codes.
  • the server processing system 160 can then generate new base codes in the event that the mobile communication device 170 does not have stored in memory a threshold number of base codes. This process has been previously described, wherein the newly generated unique random base codes are used to generate and store corresponding server-generated authentication codes which are stored in the server database 167, and the newly generated base codes are transferred to the mobile communication device 170 for storage therein.
  • the server processing system 170 can determine, based on the expiration deadline stored in the server database 167 for the corresponding server-generated authentication code, whether the user still has sufficient time to provide the device-generated authentication code to a reader assembly 180 for authentication. In the event that the base code has expired based on the expiration timestamp and the expiration deadline, the corresponding authentication code is set to expired in the server database 167. Otherwise, the corresponding server-generated authentication code is maintained as unexpired in order to allow the user sufficient time to utilise the device-generated authentication code for authentication.
  • the server processing system 160 can perform a service on behalf of the user via transferring a service request to a third party processing system 190.
  • the server processing system 160 can be in data communication with a plurality of third party processing systems for performing a plurality of respective services for the user in response to successful authentication.
  • each third party processing system 190 In order for the server processing system 160 to request a service to be performed on behalf of the user upon successful user authentication, the server processing system 160 is generally required to be registered with each third party processing system 190 such that the server processing system 160 is a trusted entity.
  • a server identifier is generated by each third party processing system 190 and transferred to the server processing system 160 for storage in non-volatile memory.
  • each third party processing system 190 provides an Application Programming Interface (API) which a service request function can be called by the server processing system 160 in order to request the service to be performed on behalf of the user.
  • API Application Programming Interface
  • the server identifier is referred to as a Global API key.
  • each service request via the service request function of the API requires the server processing system 160 to transfer the server identifier, in the form of the Global API key, in order to identify that the server processing system 160 is a registered server with the third party processing system 190 which can be trusted.
  • server identifier in the form of the Global API key
  • further data can be transferred with the service request via the service request function of the API of the third party processing system.
  • FIG. 3 there is shown a flowchart representing an example of a method 300 of registering with the server processing system for utilising the authentication service for making a payment to another party.
  • the method 300 includes the user 179 registering, via the mobile communication device 170, with the server processing system 160 to use the authentication service for making a payment. This can be performed by the user 179 launching the computer program upon the mobile communication device 170 and interacting with the interface of the computer program to select payment registration.
  • the method 300 includes the user 179 nominating a payment method for registration with the server processing system 160.
  • the user may be able to nominate a credit/debit card for making payments therewith.
  • the user may be able to nominate a money transfer service, such as PayPal, which can be used for making payments.
  • step 315 In the event that the user selects to nominate a credit debit card for making payments, the method proceeds to step 315. In the event that the user selects to nominate a money transfer service, the method proceeds to step 345.
  • the method 300 includes the user providing credit debit card details to the server processing system 160 via the mobile communication device 170. These details can include a credit/debit card number, an expiry date, and a Card Verification Code (CVC).
  • the method 300 includes the user authorising, via the computer program of the mobile communication device 170, the server processing system 160 to perform a financial transaction using the nominated credit/debit card. Generally, the financial transaction is a small financial transaction, such as $1.
  • the method 300 includes the server processing system 160 transferring a transaction request including the credit/debit card details and the server identifier to third party processing system 190 acting as a payment processing system.
  • the method 300 includes the payment processing system 190 transferring to the server processing system 160 an authorisation code and a user token associated with the user for future transactions.
  • the authorisation code is representative of a receipt which can be stored by the server processing system 160 in the event that the respective transaction is disputed by the credit card owner.
  • the user token is a unique identifier for the user for the respective payment processing system 190.
  • the payment processing system generally stores the credit card details in memory and associates the token with these details. In this configuration, the token can be transferred by the server processing system 160 in future transaction requests such that the credit card details do not need to be stored by the server processing system 160 or transferred by the user to the server processing system 160.
  • the server processing system 160 records the authorisation code and the user token in the user record of the server database 167. The method 300 then proceeds to step 360.
  • the method 300 includes, at step 340, the user transferring account details of the user's account with the payment transfer service and the server identifier to the server processing system 160.
  • the method includes the user requesting a pre-approval key to be generated by the payment processing system 190, associated with the payment transfer service, and forwarded to the server processing system 160.
  • the payment processing system 190 transfers, to the server processing system 160, the generated pre-approval key for the user.
  • the server processing system 160 stores the pre-approval key in the user record in the server database 167.
  • the pre-approval key is effectively a unique user identifier.
  • the payment processing system 190 associates the pre-approval key with the user account details in memory thereof.
  • the server processing system 160 can transfer the pre-approval key, rather than the user account details, in order for the transaction to be performed by the payment processing system 190, rather than having the account details stored or transferred between the processing systems.
  • the method 300 proceeds to step 360.
  • the method 300 includes the server processing system 160 transferring a confirmation to the mobile communication device 170 indicative of the outcome of the registration. If registration was successfully performed, the user is now able to perform a transaction using the authentication service provided by the server processing system 160, as will be described in relation to Figure 4.
  • the method 400 includes user requesting to purchase a good or service from the merchant 185.
  • the method 400 includes the user 179 launching the computer program on the mobile communication device 170 and indicating, via the interface thereof, that a payment is to be performed.
  • the method 400 includes the mobile communication device 170, under the control of the computer program, requesting the user code.
  • the user code is input by the user 179 via the input device of the mobile communication device 170.
  • the user code can be stored in volatile memory of the mobile communication device 170.
  • the mobile communication device 170 under the control of the computer program, selects a base code and generates a device-generated authentication code using selected base code, the user code input by the user and the modification algorithm included with the computer program.
  • the mobile communication device 170 under the control of the computer program, stores in the local database 178 of the mobile communication device 170, that the base code has now expired and optionally records a timestamp of expiration.
  • the method 400 includes the mobile communication device 170 providing the device-generated authentication code to the reader assembly 180 of the merchant 185.
  • this may be performed in a number of manners such as via scanning a graphical indicator generated by the mobile communication device 170, or a wireless transmission generated by the mobile communication device 170 which is received by the reader assembly 180.
  • the reader assembly 180 generates a payment request.
  • the payment request is indicative of the device-generated authentication code, the amount of the payment, a merchant identifier uniquely indicative of the merchant, and optionally the goods/service being purchased.
  • the reader assembly transfers the payment request to the server processing system.
  • the method 400 includes the server processing system 160 determining if a server-generated authentication code exists in the server database 1 7 which corresponds to the device-generated authentication code indicated by the payment request.
  • the corresponding user 179 is identified and considered authenticated by the server processing system 160 in order to request payment by the nominated payment method.
  • the method 400 then proceeds to step 455.
  • the payment request is not authenticated and the method 400 proceeds to step 485.
  • the method 400 includes the server processing system 160 setting the expiration field of the identified corresponding server-generated authentication code to expired.
  • the method 400 includes transferring a transaction request to the payment processing system 190.
  • the transaction request is indicative of the amount of the payment, a merchant identifier uniquely indicative of the merchant, optionally the goods/service being purchased.
  • the payment request is indicative of the user token retrieved from the user record of the server database 167.
  • the payment transfer service such as PayPal
  • the payment request is indicative of the pre-approval key which is retrieved from the server database 167.
  • the payment processing system 190 proceeds with processing the transaction request at step 465.
  • the payment processing system 190 transfers a transaction outcome response to the server processing system 160 indicative of whether the transaction was successfully performed or not. Additionally, the transaction outcome response is indicative of an authorisation code, wherein the authorisation code is stored in the user record of the server database 167 in the event that the transaction is later queried.
  • the server processing system 160 transfers a payment confirmation to the reader assembly indicating whether the payment was successful.
  • the payment confirmation is transferred to the mobile communication device 170. In the event that the payment confirmation indicates that the payment was successfully performed, the transaction is complete such that the user now has purchased the goods and/or services from the merchant.
  • FIG. 5 there is shown a flowchart representing a method 500 of a user registering with the server processing system 160 to use the authentication service for accessing a facility.
  • the facility may be a restricted area, such as a building, a vehicle, or the like.
  • the facility is generally monitored by a facility access entity which uses an access processing system for electronically controlling access to the facility.
  • the method 500 includes the user 179 launching the computer program upon the mobile communication device 170.
  • the launch of the computer program generally requires the user to login using a username and user code.
  • the user selects facility access registration via the interface of the computer program of the mobile communication device 170.
  • the method 500 includes the server processing system 160 being notified of the user requesting registration for facility access due to receiving a registration notification request from the mobile communication device 170.
  • the method includes the user requesting that a user access identifier, uniquely indicative of the user, is provided from an access processing system 190 controlling the access point to the server processing system 160.
  • the method 500 includes the access processing system 190 providing a user access identifier to the server processing system 160.
  • the server processing system 160 stores the user access identifier in the user record of the server database 167.
  • the server processing system 160 transfers a registration confirmation indicative of the user being registered for facility access utilising the authentication service provided by the server processing system 1 0.
  • FIG. 6 there is shown a flowchart representing a method of a user utilising the authentication service to obtain facility access which the user is registered to use from method 500.
  • the example for Figure 6 will be described in relation to access a building which has a reader assembly to open a door to provide access therein.
  • the method 600 includes, at step 60S, the user 179 launching the computer program installed upon the mobile communication device 170.
  • the method 600 includes the user 179 indicating via the interface of the computer program that facility access is required.
  • the method 600 includes the user being requested to input the user code if not already provided.
  • the method 600 includes the mobile communication device 170 selecting a base code stored in non-volatile memory of the mobile communication device 170.
  • the method 600 includes the mobile communication device 170, under the control of the computer program, generating, using the modification algorithm, a device-generated authentication code using the selected base code and the user code.
  • the expiration field in local database 178 of the mobile communication device 170 for the respective base code is set to expired.
  • the method 600 includes the user providing the device-generated authentication code to the reader assembly 180.
  • the device-generated authentication code can be provided in a number of manners.
  • the reader assembly 180 generates and transfers an access request to the server processing system 160.
  • the access request is indicative of the device-generated authentication code and an access point identifier indicative of the access point which the user is requesting access thereto.
  • the method 600 includes the server processing system 160 determining if a corresponding server-generated authentication code exists in the server database 167, which is unexpired, which corresponds to the device-generated authentication code indicated by the access request.
  • the method 600 includes the server processing system 160 setting the expiration field of the corresponding server-generated authentication code as expired.
  • the method 600 includes the server processing system 160 generating an access request for transfer to the access processing system 190.
  • the access request is indicative of the user access identifier uniquely associated with the user, which is retrieved from the identified user record of the server database 167, and the access point identifier.
  • the access processing system 190 determines whether facility access should be provided to the user based upon the access point identifier and the user access identifier.
  • access permission data stored in a data store such as a database 191 and accessible by the access processing system 190 may be used to determine whether facility access should be provided (e.g. access may be only granted to the user for particular time periods).
  • the access processing system 190 determines that facility access should be granted, the access processing system 190 actuates an access point actuator associated with the access point to provide access to the user at step 665.
  • the authentication service can also be used for authenticating entitlement objects such as coupons, vouchers, tickets, gift cards and certificates, and the like which have traditionally utilised a paper or card based presentation process.
  • the method 700 includes the user 179 launching the computer program upon the mobile communication device 170.
  • the launch of the computer program generally requires the user to login using a username and user code.
  • the user selects entitlement object registration via the interface of the computer program of the mobile communication device 170.
  • the method 700 includes the server processing system being notified, by receipt of a registration notification from the mobile communication device 170, of the user requesting registration for use of entitlement objects.
  • the method 700 includes the user 179 requesting that a user entitlement identifier uniquely identifying the user is provided from an entitlement recordal processing system 190 to the server processing system 160.
  • the entitlement recordal processing system 190 is a processing system 100 which records, in a data store 191 such as a database, the allocation of an entitlement to a user, such as a ticket.
  • the entitlement recordal processing system 190 may be the processing system which issues the entitlement object, such as a ticket machine, however this is not necessarily the case and may be a dedicated processing system for maintaining the recordal of entitlement objects.
  • the method 700 includes the user entitlement identifier being provided by the entitlement recordal processing system 190 to the server processing system 160.
  • the server processing system 160 stores the user entitlement identifier in the user record of the server database 167.
  • the server processing system 160 transfers a registration confirmation indicative of the user being registered for electronic entitlement objects utilising the authentication service provided by the server processing system 160.
  • the method 800 includes, at step 805, the user launching the computer program installed upon the mobile communication device 170.
  • the method 800 includes the user indicating via the interface of the computer program that an electronic entitlement is to be used.
  • the method 800 includes the user 179 being requested to input the user code if not already provided.
  • the method 800 includes the mobile communication device 170 selecting a base code stored in non-volatile memory of the mobile communication device 170.
  • the method 800 includes the mobile communication device 170, under the control of the computer program, generating, using the modification function, a device-generated authentication code using the selected base code and the user code.
  • the expiration field in local database 178 of the mobile communication device 170 for the respective base code is set to expired.
  • the method 800 includes the user providing the device-generated authentication code to the reader assembly 180.
  • the device-generated authentication code can be provided in a number of manners.
  • the reader assembly generates and transfers an entitlement request to the server processing system 160.
  • the entitlement request is indicative of the device-generated authentication code and an identifier of the good and/or service associated with the ticket (such as an event identifier, a trip identifier, etc).
  • the method 800 includes the server processing system 160 determining if a corresponding server-generated authentication code exists in the server database 167, which is unexpired, which corresponds to the device-generated authentication code indicated by the entitlement request.
  • the method 800 includes the server processing system 160 setting the expiration field of the corresponding server-generated authentication code as expired.
  • the method 800 includes the server processing system 160 generating an entitlement request for transfer to the entitlement recordal system 190.
  • the entitlement request is indicative of the user entitlement identifier uniquely associated with the user, which is retrieved from the identified user record of the server database 167, and the identifier indicative of the good/service.
  • the entitlement recordal system 190 determines, based on the database 191, whether an electronic ticket has been recorded in an entitlement database based upon the good/service identifier and the user entitlement identifier. Generally, the entitlement recordal system 190 will record, in the database 191, that an entitlement object, such as a ticket, has now been redeemed in the entitlement database.
  • the method 800 includes, at step 865, the entitlement recordal system 190 transferring an entitlement confirmation to the server processing system 160.
  • the method 800 includes the server processing system 160 transferring the entitlement confirmation to the reader assembly 180 of the third party 185 and optionally to the user's mobile communication device 170 indicative whether the user's entitlement has been confirmed.
  • the computer program installed upon the mobile communication device 170 and the server processing system 160 utilise a secure communication protocol in order to transfer data therebetween.
  • secure sockets layer (SSL) protocol may be utilised.
  • a device identifier may be transferred from the mobile communication device 170 to the server processing system 160 which is recorded in the respective user record of the server database 167.
  • the device identifier may be transferred to the server processing system 160 for authenticating the user.
  • communication between the server processing system 160 and the third party processing system 190 for performing a requested service is generally performed via one or more API functions made available by the third party processing system 190.
  • the server processing system 160 simply provides the required data necessary to request the service to be performed such that the server processing system 160 is isolated from how the service is performed by the third party processing system 190.
  • the authentication service herein described can also have other applications.
  • the authentication service can be utilised for proof of membership, applying for a financial loan, and completing a donation.
  • the computer program installed upon the mobile communication device 170 may be provided upon a computer readable medium having recorded thereon executable instructions for configuring the mobile communication device 170 to perform as discussed above.
  • the server-generated authentication codes are generated by the server processing system 160 are associated with an expiration deadline.
  • This deadline can be set based upon a setting stored in non-volatile memory of the server processing system 160.
  • the expiration deadline indicates a temporal timeframe which the base code can be used with the authentication service.
  • the server processing system 160 transfers base code data indicative of each base code and the corresponding expiration deadline for each base code.
  • the base codes and the respective expiration deadlines are stored in memory of the mobile communication device 170.
  • the mobile communication device 170 can be configured to select a base code for generating a device-generated authentication code which is associated with an expiration deadline which has not passed.
  • Base codes which have passed the respective expiration deadline can be deleted from memory of the mobile communication device.
  • the deletion of expired base codes can be in response to a command received from the server processing system before, during or after synchronisation. It will be appreciated that when an authentication request is received by the server processing system, the server processing system determines that the corresponding server-generated authentication code has an expiration deadline which has not passed.

Abstract

La présente invention concerne un procédé, un système, un système de traitement de serveur et un dispositif de communication mobile pour fournir des services de dispositifs de communication mobiles. Dans un aspect de l'invention, un système de traitement de serveur est utilisé pour authentifier un utilisateur, et est configuré pour : recevoir, depuis un dispositif de communication mobile de l'utilisateur, un code d'utilisateur ; générer de façon aléatoire un code de base ; modifier, en utilisant le code d'utilisateur, le code de base pour générer un code d'authentification généré par le serveur ; mémoriser le code d'authentification généré par le serveur dans une mémoire de données ; transférer le code de base au dispositif de communication mobile pour y être stocké ; recevoir une demande d'authentification indiquant un code d'authentification généré par le dispositif depuis un ensemble lecteur, l'ensemble lecteur étant configuré pour obtenir le code d'authentification généré par le dispositif auprès du dispositif de communication mobile qui génère le code d'authentification généré par le dispositif en utilisant le code de base et le code d'utilisateur ; et authentifier l'utilisateur lorsque le code d'authentification généré par le dispositif correspond au code d'authentification généré par le serveur.
PCT/AU2012/000136 2011-02-10 2012-02-10 Services de dispositifs de communication mobiles WO2012106778A1 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US201161441415P 2011-02-10 2011-02-10
US61/441,415 2011-02-10
AU2011900980A AU2011900980A0 (en) 2011-03-17 Mobile telecommunication device services
AU2011900980 2011-03-17

Publications (1)

Publication Number Publication Date
WO2012106778A1 true WO2012106778A1 (fr) 2012-08-16

Family

ID=46638082

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/AU2012/000136 WO2012106778A1 (fr) 2011-02-10 2012-02-10 Services de dispositifs de communication mobiles

Country Status (1)

Country Link
WO (1) WO2012106778A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2992472A4 (fr) * 2013-04-30 2016-10-26 Token One Pty Ltd Authentification d'un utilisateur

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007117073A1 (fr) * 2006-04-07 2007-10-18 Dong Gyu Kim Système et procédé d'authentification utilisant un code à barres
US20090104888A1 (en) * 2007-10-17 2009-04-23 First Data Corporation Onetime Passwords For Mobile Wallets
WO2010043974A1 (fr) * 2008-10-16 2010-04-22 Christian Richard Système pour mettre en œuvre des transactions de paiement sécurisées sans contact
US20100316220A1 (en) * 2009-06-10 2010-12-16 Samsung Electronics Co., Ltd. Radio frequency identification system and authentication method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007117073A1 (fr) * 2006-04-07 2007-10-18 Dong Gyu Kim Système et procédé d'authentification utilisant un code à barres
US20090104888A1 (en) * 2007-10-17 2009-04-23 First Data Corporation Onetime Passwords For Mobile Wallets
WO2010043974A1 (fr) * 2008-10-16 2010-04-22 Christian Richard Système pour mettre en œuvre des transactions de paiement sécurisées sans contact
US20100316220A1 (en) * 2009-06-10 2010-12-16 Samsung Electronics Co., Ltd. Radio frequency identification system and authentication method thereof

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2992472A4 (fr) * 2013-04-30 2016-10-26 Token One Pty Ltd Authentification d'un utilisateur

Similar Documents

Publication Publication Date Title
US11481754B2 (en) Secure payment method and system
US20210264434A1 (en) System and method using merchant token
US20210142312A1 (en) Authentication systems and methods using location matching
US10956893B2 (en) Integrated security system
EP3232386B1 (fr) Procédé d'exécution de transactions avec des dispositifs de paiement sans contact utilisant des opérations de pré-prise et à deux prises
US20160217461A1 (en) Transaction utilizing anonymized user data
US20180053189A1 (en) Systems and methods for enhanced authorization response
CA2955197A1 (fr) Dispositif de communication mobile ayant une circuiterie de communication basee sur la proximite
KR20230129566A (ko) 거래 승인
KR20140125449A (ko) 거래 프로세싱 시스템 및 방법
US20210034769A1 (en) System and method for secure device connection
JP2017513167A (ja) リモート取引システム、方法およびpos端末
US20220291979A1 (en) Mobile application integration
CA3127381C (fr) Identification de type de terminal dans un traitement d'interaction
EP4282128A1 (fr) Système et procédé d'authentification d'utilisateur mobile
WO2012106778A1 (fr) Services de dispositifs de communication mobiles
US20220343314A1 (en) Processing using machine readable codes and secure remote interactions
KR101669012B1 (ko) 스마트 카드와의 엔에프씨 통신을 이용한 결제 시스템 및 그 방법
WO2023069577A1 (fr) Systèmes et procédés destinés à être utilisés dans des interactions dans le réseau activées par données biométriques
KR20140065864A (ko) 카드결제 승인 시스템 및 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12744639

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12744639

Country of ref document: EP

Kind code of ref document: A1