WO2015000425A1 - Method and system for authenticating user using out-of-band channel - Google Patents

Method and system for authenticating user using out-of-band channel Download PDF

Info

Publication number
WO2015000425A1
WO2015000425A1 PCT/CN2014/081588 CN2014081588W WO2015000425A1 WO 2015000425 A1 WO2015000425 A1 WO 2015000425A1 CN 2014081588 W CN2014081588 W CN 2014081588W WO 2015000425 A1 WO2015000425 A1 WO 2015000425A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
mobile communication
communication device
central processing
processing server
Prior art date
Application number
PCT/CN2014/081588
Other languages
French (fr)
Inventor
Alessandro Gadotti
Original Assignee
Mpayme Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mpayme Ltd. filed Critical Mpayme Ltd.
Priority to EP14820320.1A priority Critical patent/EP3017391A4/en
Priority to CN201480038231.XA priority patent/CN105556531A/en
Publication of WO2015000425A1 publication Critical patent/WO2015000425A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/42User authentication using separate channels for security data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/77Graphical identity

Definitions

  • the present invention relates generally to methods and systems of online user authentication. Particularly, the present invention relates to online user authentication techniques that utilize out-of-band channels.
  • the present invention can be implemented as an extension to the secure mobile payment system described in United States Patent Application No. 13/602,197.
  • the present invention comprises a central processing server accessible through a communication network, such as the Internet; a plurality of users; mobile communication devices and client computing devices that can access the central processing server; and a third party computing processor that can access the central processing server.
  • a communication network such as the Internet
  • a plurality of users such as the Internet
  • mobile communication devices and client computing devices that can access the central processing server
  • a third party computing processor that can access the central processing server.
  • the functionalities of the central processing server comprises user authentication, user account management for managing user accounts, wherein the user accounts contain user identification and authentication credentials, and are stored securely in a database.
  • the central processing server includes a plurality of user interfaces for user interaction using various types of computing devices and mobile communication devices running web browser applications.
  • the central processing server also includes server backend APIs for machine-to-machine integration enabling specially-developed applications running in the third party computing processor to communicate with the central processing server.
  • These user interfaces and server backend APIs facilitate the functionalities including, but are not limited to, user authentication, user account management and online shopping by users, system administration by administrators, online shopping inventory, payment, and fulfillment management by users.
  • each of the mobile communication devices is equipped with a camera or scanner for optically capturing images of computer-generated encoded data such as barcodes.
  • the mobile communication device is configured to process the captured encoded data image and exchange data with the central processing server for facilitating various aforementioned functionalities such as user authentication.
  • the central processing server with its database, user interfaces and server backend APIs, and the mobile communication devices running the secure mobile transaction mobile application constitute a secure mobile transaction system.
  • each user account in the secure mobile transaction system may associate (pair) with only a single mobile communication device at any one time.
  • a user who has already been registered and created a valid user account in the secure mobile transaction system may use his/her mobile communication device that has already been registered and paired in the secure mobile transaction system to authenticate for accessing a protected third party application, such as a third party web site, provided by the third party processing server, or one or more protected user interfaces provided by the central processing server.
  • a protected third party application such as a third party web site, provided by the third party processing server, or one or more protected user interfaces provided by the central processing server.
  • the user authentication method comprises: the central processing server generates an encoded data, such as a QR code, from encoding a session number, which can be randomly generated; a first mobile communication device or a first client computing device displays a login page that includes the QR code to the user for authentication; the user uses a second mobile communication that has already been registered and paired in the secure mobile transaction system to image-capture the QR code, and sends the decoded QR code data to the central processing server; the central processing server validates the decoded QR code data against the session number; upon a positive validation, the user enters his/her security PIN in the second mobile communication and be sent to the central processing server for validation; and upon a positive validation, the user authentication is completed.
  • an encoded data such as a QR code
  • FIG. 1 shows a block diagram illustrating an embodiment of the presently claimed secure mobile transaction system
  • FIG. 2 depicts a user activity diagram illustrating an embodiment of user authentication process using the secure mobile transaction system
  • FIG. 3 shows an exemplary embodiment of the transitioning user interface being displayed during the user authentication process using the secure mobile transaction system.
  • the presently claimed invention comprises a central processing server 105 accessible through a first communication network 104, which can be the Internet, a telecommunication network, or any network supporting the TCP/IP protocol; a plurality of users 101 each associating with a user account; mobile communication devices 102 that can access the central processing server 105 through the first communication network 104; client computing devices 103 that can access the central processing server 105 and a third party processing server 107 through a second communication network 106, which can be the same as the first communication network 104 or a separate communication network that can be the Internet, a telecommunication network, or any network supporting the TCP/IP protocol.
  • the functionalities of the central processing server 105 comprises user authentication and user account management for managing user accounts, wherein a data record of a user account comprises the user's identification and authentication credential.
  • the central processing server In accordance with various embodiments, the central processing server
  • the 105 includes at least one group of user interfaces for users accessible by the mobile communication devices 102 and the client computing devices 103.
  • the group of user interfaces include interactive transactional web pages that can be displayed in web browser applications running in the mobile communication devices 102 and the client computing devices 103, and user interfaces that are specifically designed for specifically-developed mobile applications running in the mobile communication devices 102.
  • One exemplary embodiment of such user interface is a mobile application (App) running on the iOS ® operating system developed by Apple ® Inc.
  • Another exemplary embodiment of such user interface is a mobile application (App) running on the Android ® operating system developed by Google ® Inc.
  • the central processing server also provides another group of user interfaces for system administrative users.
  • the central processing server 105 also includes server backend APIs for machine-to-machine integration, enabling specifically-developed software applications running in the third party processing server 107 to communicate with the central processing server 105.
  • the machine-to-machine data interchanges via the server backend APIs supports industry standards including, but are limited to, XML and JSON.
  • These user interfaces and server backend APIs facilitate the functionalities including, but are not limited to, user authentication, user account management, and online shopping by users, system administration by administrators, online shopping inventory, payment, and fulfillment management by users.
  • the 105 includes a database for preserving data records of the user accounts, system configuration data, and other meta data.
  • the database can be implemented in the same physical computer server of the central processing server 105, or in a separate physical computer server.
  • Exemplary embodiments of the database are various commercially available relational database management systems such as Oracle ® Database and Microsoft ® SQL Server.
  • each of the mobile communication devices 102 is equipped with a camera or scanner for optically capturing images of computer-generated encoded data such as barcodes.
  • the mobile communication device is configured to process the captured encoded data image and exchange data with the central processing server for facilitating various aforementioned functionalities such as user authentication.
  • the mobile communication device configuration for processing the encoded data and executing a mobile transaction is accomplished by installing and executing mobile application software and/or firmware specifically designed for the mobile communication device (hereinafter referred to as secure mobile transaction mobile application).
  • secure mobile transaction mobile application the operating system
  • the operating system (OS) of the mobile communication device is modified and/or configured to accomplish portions or all of the aforementioned functionalities.
  • the central processing server 105 with its database, user interfaces and server backend APIs, and the mobile communication devices 102 running the secure mobile transaction mobile application constitute a secure mobile transaction system.
  • each user account in the secure mobile transaction system may associate (pair) with only a single mobile communication device 102 at any one time.
  • Each of the users 101 may also be required to define a security personal identification number (PIN) for his/her user account according to the system configuration.
  • PIN personal identification number
  • a user account is created in the central processing server and its record data is stored in the database of the central process server when a new user is registered in the secure mobile transaction system.
  • the user registration process includes steps for registering and pairing his/her mobile communication device.
  • the user registration process adopts that of the secure mobile payment system as disclosed in United States Patent Application No. 13/602,197.
  • the computer-generated barcode is a matrix or two-dimensional barcode such as a Quick Response (QR) code.
  • the barcode can be generated by the central processing server 105.
  • the barcode contains at least an identity data, which is unique to each barcode at least within the secure mobile transaction system if not globally.
  • the barcode can be electronically displayed on the screen of a client computing device 103 or mobile communication device 102.
  • the barcode can also be printed and displayed on various portable articles including, but not limited to, a paper ticket and a carrying card.
  • all communications between the mobile communication devices 102 and the central processing server 105 are PKI encrypted using, for example, AES, and the data communication messages are transmitted over Secure Socket Layer (SSL).
  • SSL Secure Socket Layer
  • a user who has already been registered and created a valid user account in the secure mobile transaction system may use his/her mobile communication device that has already been registered and paired in the secure mobile transaction system to authenticate for accessing a protected third party application, such as a third party web site, provided by the third party processing server, or one or more protected user interfaces provided by the central processing server.
  • a protected third party application such as a third party web site, provided by the third party processing server, or one or more protected user interfaces provided by the central processing server.
  • the user authentication method comprises the following steps:
  • a user requesting to access the protected third party application provided by the third party processing server or the one or more protected user interfaces provided by the central processing server wherein the protected third party application can be a third party web site that is protected by access control and requires user authentication for its access and which can be accessed through a web browser application running in a first mobile communication device or a first client computing device, and wherein the protected user interfaces provided by the central processing server can be interactive transactional web pages that are protected by access control and require user authentication for their accesses and which can be accessed through a web browser application running in a first mobile communication device or a first client computing device.
  • the user is redirected to a login page, wherein the login page can be served from the third party processing server or the central processing server.
  • the login page includes an encoded data such as a barcode that is displayed on the screen of the first mobile communication device or the first client computing device.
  • the barcode can be a QR code.
  • the encoded data is dynamically generated by the central processing server during the rendering of the login page.
  • the generation of the encoded data comprises the central processing server generating a random number, wherein the random number can be 32 characters (30 characters + 2 checksum) in length; and encoding the random number into a QR code for the encoded data.
  • the random number is a session number for later associating with the user's logon session.
  • the generation of the encoded data comprises the central processing server encoding one of its previously generated and preserved session numbers into a QR code for the encoded data. A record of the session number is preserved in the database of the central processing server for later validation purposes.
  • the third party processing server requests and receives the encoded data from the central processing server by invoking the central processing server backend APIs.
  • the login page with the encoded data is displayed on the screen of the first mobile communication device or the first client computing device.
  • the user using a second mobile communication device that has already been registered and paired in the secure mobile transaction system, image-captures the encoded data.
  • the encoded data can also be printed on a physical media, such as a paper ticket or a carrying card, to be presented to the user to image-capture the encoded data using the second mobile communication device.
  • a physical media such as a paper ticket or a carrying card
  • the second mobile communication device running the secure mobile transaction mobile application, decodes the image-captured encoded data and extracts the session number. [0039] 5. (205) The second mobile communication device sends the extracted session number along with the identification data of the second mobile communication device to the central processing server.
  • the central processing server receives the session number and the identification data of the second mobile communication device; and validates the session number by matching the previously preserved record of the session number in its database. Upon positive validation, the central processing server retrieves the user account record by matching the identification data of the second mobile communication device. The central processing server associates the session number to the user account.
  • the third party processing server is notified of the successful association of the session number to the user account by way of the central processing server backend API callback or response, or repeated invocations (polling) of the central processing server backend APIs by the third party processing server.
  • the notification is received, when the web browser application displaying the login page is refreshed under auto-reload (polling) or manual reload, the login page is re-rendered by the third party processing server with visual cue for the user to proceed to the next step of the user authentication.
  • the user enters his/her security PIN in the user interface of the secure mobile transaction mobile application running in the second mobile communication device.
  • the second mobile communication device cryptographically encrypts the security PIN and sends the encrypted security PIN along with its identification data to the central processing server.
  • the central processing server receives the encrypted security PIN and the identification data of the second mobile communication device; retrieves the user account record by matching the identification data of the second mobile communication device; decrypts the encrypted security PIN and validates the decrypted security PIN against the security PIN stored in the user account record. Upon a possible validation, the user is considered authenticated and the session number is now associated with the user's logon session.
  • the third party processing server is notified of the successful user authentication by way of the central processing server backend API callback or response, or repeated invocations (polling) of the central processing server backend APIs by the third party processing server.
  • the notification is received, when the web browser application displaying the login page is refreshed under auto-reload (polling) or manual reload, the web browser application is redirected to the target protected third party application or protected user interfaces provided by the central processing server.
  • the central processing server and the second mobile communication device, through the secure mobile transaction mobile application are configured as such that the security PIN to be provided by the user is optional in the user authentication.
  • the abovementioned steps 7 to 10 may be opted out, and in this case the user authentication is completed upon the positive validation of the session number and the identification data of the second mobile communication device received by the central processing server.
  • the embodiments disclosed herein may be implemented using general purpose or specialized computing devices, mobile communication devices, computer processors, or electronic circuitries including but not limited to digital signal processors (DSP), application specific integrated circuits (ASIC), field programmable gate arrays (FPGA), and other programmable logic devices configured or programmed according to the teachings of the present disclosure.
  • DSP digital signal processors
  • ASIC application specific integrated circuits
  • FPGA field programmable gate arrays
  • Computer instructions or software codes running in the general purpose or specialized computing devices, mobile communication devices, computer processors, or programmable logic devices can readily be prepared by practitioners skilled in the software or electronic art based on the teachings of the present disclosure.
  • the present invention includes computer storage media having computer instructions or software codes stored therein which can be used to program computers or microprocessors to perform any of the processes of the present invention.
  • the storage media can include, but are not limited to, floppy disks, optical discs, Blu-ray Disc, DVD, CD-ROMs, and magneto-optical disks, ROMs, RAMs, flash memory devices, or any type of media or devices suitable for storing instructions, codes, and/or data.
  • Exemplary embodiments of mobile communication devices include, but are not limited to, mobile telephones, mobile telephones with personal computer like capability (commonly referred to as “smartphones"), electronic personal digital assistants (PDAs), portable computers with wired or wireless wide-area-network and/or telecommunication capability such as tablet personal computers and "netbook” personal computers.
  • mobile communication devices include, but not limited to, the Apple ® iPhone ® , Google ® NexusTM 10, HTC ® OneTM, Nokia ® LumiaTM, Samsung ® GalaxyTM, and Sony ® XpenaTM.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The user authentication method comprises : a central processing server generates an encoded data, such as a QR code, from encoding a session number, which can be randomly generated; a first client computing device displays a login page that includes the QR code to a user for authentication; the user uses a mobile communication that has already been registered and paired with the user account stored in the central processing server to image-capture the QR code, and sends the decoded QR code data to the central processing server; the central processing server validates the decoded QR code data against the session number; upon a positive validation, the user may need to enter his/her security PIN according to configuration in the second mobile communication and be sent to the central processing server for validation; and upon a positive validation, the user authentication is completed.

Description

METHOD AND SYSTEM FOR AUTHENTICATING USER USING OUT-
OF-BAND CHANNEL
Claim for Domestic Priority;
[0001] This application claims priority under 35 U.S.C. § 119 to the United
States Provisional Patent Application No. 61/842,386, filed July 3, 2013, the disclosure of which is incorporated herein by reference in its entirety.
Cross-references to Related Applications;
[0002] This application is a continuation-in-part application of the United
States Patent Application No. 13/602,197 filed September 2, 2012, the disclosure of which is incorporated herein by reference in its entirety.
Field of the Invention;
[0003] The present invention relates generally to methods and systems of online user authentication. Particularly, the present invention relates to online user authentication techniques that utilize out-of-band channels.
Background;
[0004] Many online activities, such as making online purchases and payments, which involve accessing personal and protected information often require user authentication. The most common form of user authentication is the use of a login challenge for a user identifier and password. However, there are a number of drawbacks in this form of user authentication, which include forgotten password, stolen user identifier and/or password, and too simple password, resulting in weak security. Other multi-factor and strong authentication methods and systems have been developed; but most could not uphold strong security without sacrificing user convenience. Therefore, there is a need for a user authentication method and system that can support strong security and yet demand minimal efforts on the part of the users.
Summary;
[0005] It is an objective of the present invention to provide a method and system for online user authentication using a mobile communication device. Since the mobile communication device is pre-registered in the user authentication authority system and that the mobile communication device can uniquely identify the authenticating user, it serves as the out-of-band channel for authenticating the user. It is a further objective of the present invention to provide such a method and system that support strong security and require the user to memorize and supply only a security personal identification number for authentication.
[0006] In accordance with various embodiments, the present invention can be implemented as an extension to the secure mobile payment system described in United States Patent Application No. 13/602,197.
[0007] In accordance with various embodiments, the present invention comprises a central processing server accessible through a communication network, such as the Internet; a plurality of users; mobile communication devices and client computing devices that can access the central processing server; and a third party computing processor that can access the central processing server.
[0008] In accordance with various embodiments, the functionalities of the central processing server comprises user authentication, user account management for managing user accounts, wherein the user accounts contain user identification and authentication credentials, and are stored securely in a database.
[0009] In accordance with various embodiments, the central processing server includes a plurality of user interfaces for user interaction using various types of computing devices and mobile communication devices running web browser applications. In addition, the central processing server also includes server backend APIs for machine-to-machine integration enabling specially-developed applications running in the third party computing processor to communicate with the central processing server. These user interfaces and server backend APIs facilitate the functionalities including, but are not limited to, user authentication, user account management and online shopping by users, system administration by administrators, online shopping inventory, payment, and fulfillment management by users.
[0010] In accordance with various embodiments, each of the mobile communication devices is equipped with a camera or scanner for optically capturing images of computer-generated encoded data such as barcodes. In accordance with various embodiments, the mobile communication device is configured to process the captured encoded data image and exchange data with the central processing server for facilitating various aforementioned functionalities such as user authentication.
[0011] The central processing server with its database, user interfaces and server backend APIs, and the mobile communication devices running the secure mobile transaction mobile application constitute a secure mobile transaction system. In accordance with various embodiments, each user account in the secure mobile transaction system may associate (pair) with only a single mobile communication device at any one time.
[0012] In one aspect of the present invention, a user who has already been registered and created a valid user account in the secure mobile transaction system may use his/her mobile communication device that has already been registered and paired in the secure mobile transaction system to authenticate for accessing a protected third party application, such as a third party web site, provided by the third party processing server, or one or more protected user interfaces provided by the central processing server. The user authentication method comprises: the central processing server generates an encoded data, such as a QR code, from encoding a session number, which can be randomly generated; a first mobile communication device or a first client computing device displays a login page that includes the QR code to the user for authentication; the user uses a second mobile communication that has already been registered and paired in the secure mobile transaction system to image-capture the QR code, and sends the decoded QR code data to the central processing server; the central processing server validates the decoded QR code data against the session number; upon a positive validation, the user enters his/her security PIN in the second mobile communication and be sent to the central processing server for validation; and upon a positive validation, the user authentication is completed.
Brief Description of the Drawings;
[0013] Embodiments of the invention are described in more detail hereinafter with reference to the drawings, in which
[0014] FIG. 1 shows a block diagram illustrating an embodiment of the presently claimed secure mobile transaction system; and
[0015] FIG. 2 depicts a user activity diagram illustrating an embodiment of user authentication process using the secure mobile transaction system; and
[0016] FIG. 3 shows an exemplary embodiment of the transitioning user interface being displayed during the user authentication process using the secure mobile transaction system.
Detailed Description;
[0017] In the following description, methods and systems of online user authentication using out-of-band channels and the like are set forth as preferred examples. It will be apparent to those skilled in the art that modifications, including additions and/or substitutions may be made without departing from the scope and spirit of the invention. Specific details may be omitted so as not to obscure the invention; however, the disclosure is written to enable one skilled in the art to practice the teachings herein without undue experimentation. [0018] System:
[0019] Referring to FIG. 1. In accordance with various embodiments the presently claimed invention comprises a central processing server 105 accessible through a first communication network 104, which can be the Internet, a telecommunication network, or any network supporting the TCP/IP protocol; a plurality of users 101 each associating with a user account; mobile communication devices 102 that can access the central processing server 105 through the first communication network 104; client computing devices 103 that can access the central processing server 105 and a third party processing server 107 through a second communication network 106, which can be the same as the first communication network 104 or a separate communication network that can be the Internet, a telecommunication network, or any network supporting the TCP/IP protocol.
[0020] In accordance with various embodiments, the functionalities of the central processing server 105 comprises user authentication and user account management for managing user accounts, wherein a data record of a user account comprises the user's identification and authentication credential.
[0021 ] In accordance with various embodiments, the central processing server
105 includes at least one group of user interfaces for users accessible by the mobile communication devices 102 and the client computing devices 103. The group of user interfaces include interactive transactional web pages that can be displayed in web browser applications running in the mobile communication devices 102 and the client computing devices 103, and user interfaces that are specifically designed for specifically-developed mobile applications running in the mobile communication devices 102. One exemplary embodiment of such user interface is a mobile application (App) running on the iOS® operating system developed by Apple® Inc. Another exemplary embodiment of such user interface is a mobile application (App) running on the Android® operating system developed by Google® Inc. The central processing server also provides another group of user interfaces for system administrative users.
[0022] In addition to the groups of user interfaces, the central processing server 105 also includes server backend APIs for machine-to-machine integration, enabling specifically-developed software applications running in the third party processing server 107 to communicate with the central processing server 105. In accordance to various embodiments, the machine-to-machine data interchanges via the server backend APIs supports industry standards including, but are limited to, XML and JSON.
[0023] These user interfaces and server backend APIs facilitate the functionalities including, but are not limited to, user authentication, user account management, and online shopping by users, system administration by administrators, online shopping inventory, payment, and fulfillment management by users.
[0024] In accordance with various embodiments, the central processing server
105 includes a database for preserving data records of the user accounts, system configuration data, and other meta data. The database can be implemented in the same physical computer server of the central processing server 105, or in a separate physical computer server. Exemplary embodiments of the database are various commercially available relational database management systems such as Oracle® Database and Microsoft® SQL Server.
[0025] In accordance with various embodiments, each of the mobile communication devices 102 is equipped with a camera or scanner for optically capturing images of computer-generated encoded data such as barcodes. In accordance with various embodiments, the mobile communication device is configured to process the captured encoded data image and exchange data with the central processing server for facilitating various aforementioned functionalities such as user authentication. In accordance with various embodiments, the mobile communication device configuration for processing the encoded data and executing a mobile transaction is accomplished by installing and executing mobile application software and/or firmware specifically designed for the mobile communication device (hereinafter referred to as secure mobile transaction mobile application). Optionally, the operating system (OS) of the mobile communication device is modified and/or configured to accomplish portions or all of the aforementioned functionalities.
[0026] The central processing server 105 with its database, user interfaces and server backend APIs, and the mobile communication devices 102 running the secure mobile transaction mobile application constitute a secure mobile transaction system. In accordance with various embodiments, each user account in the secure mobile transaction system may associate (pair) with only a single mobile communication device 102 at any one time. Each of the users 101 may also be required to define a security personal identification number (PIN) for his/her user account according to the system configuration. A user account is created in the central processing server and its record data is stored in the database of the central process server when a new user is registered in the secure mobile transaction system. The user registration process includes steps for registering and pairing his/her mobile communication device. In accordance with various embodiments, the user registration process adopts that of the secure mobile payment system as disclosed in United States Patent Application No. 13/602,197.
[0027] In accordance with various embodiments, the computer-generated barcode is a matrix or two-dimensional barcode such as a Quick Response (QR) code. The barcode can be generated by the central processing server 105. The barcode contains at least an identity data, which is unique to each barcode at least within the secure mobile transaction system if not globally. The barcode can be electronically displayed on the screen of a client computing device 103 or mobile communication device 102. The barcode can also be printed and displayed on various portable articles including, but not limited to, a paper ticket and a carrying card. [0028] In accordance with various embodiments, all communications between the mobile communication devices 102 and the central processing server 105 are PKI encrypted using, for example, AES, and the data communication messages are transmitted over Secure Socket Layer (SSL).
[0029] User Authentication:
[0030] In accordance to one embodiment, a user who has already been registered and created a valid user account in the secure mobile transaction system may use his/her mobile communication device that has already been registered and paired in the secure mobile transaction system to authenticate for accessing a protected third party application, such as a third party web site, provided by the third party processing server, or one or more protected user interfaces provided by the central processing server.
[0031] Referring to FIG. 2. The user authentication method comprises the following steps:
[0032] 1. (201) A user requesting to access the protected third party application provided by the third party processing server or the one or more protected user interfaces provided by the central processing server, wherein the protected third party application can be a third party web site that is protected by access control and requires user authentication for its access and which can be accessed through a web browser application running in a first mobile communication device or a first client computing device, and wherein the protected user interfaces provided by the central processing server can be interactive transactional web pages that are protected by access control and require user authentication for their accesses and which can be accessed through a web browser application running in a first mobile communication device or a first client computing device.
[0033] 2. (202) The user is redirected to a login page, wherein the login page can be served from the third party processing server or the central processing server. The login page includes an encoded data such as a barcode that is displayed on the screen of the first mobile communication device or the first client computing device. The barcode can be a QR code. The encoded data is dynamically generated by the central processing server during the rendering of the login page.
[0034] In one embodiment, the generation of the encoded data comprises the central processing server generating a random number, wherein the random number can be 32 characters (30 characters + 2 checksum) in length; and encoding the random number into a QR code for the encoded data. The random number is a session number for later associating with the user's logon session. In an alternative embodiment, the generation of the encoded data comprises the central processing server encoding one of its previously generated and preserved session numbers into a QR code for the encoded data. A record of the session number is preserved in the database of the central processing server for later validation purposes.
[0035] If the login page is served by the third party processing server, the third party processing server requests and receives the encoded data from the central processing server by invoking the central processing server backend APIs.
[0036] 3. (203) The login page with the encoded data is displayed on the screen of the first mobile communication device or the first client computing device. The user, using a second mobile communication device that has already been registered and paired in the secure mobile transaction system, image-captures the encoded data.
[0037] In an alternative embodiment, instead of being displayed on the screen of the first mobile communication device or the first client computing device, the encoded data can also be printed on a physical media, such as a paper ticket or a carrying card, to be presented to the user to image-capture the encoded data using the second mobile communication device.
[0038] 4. (204) The second mobile communication device, running the secure mobile transaction mobile application, decodes the image-captured encoded data and extracts the session number. [0039] 5. (205) The second mobile communication device sends the extracted session number along with the identification data of the second mobile communication device to the central processing server.
[0040] 6. (206) The central processing server receives the session number and the identification data of the second mobile communication device; and validates the session number by matching the previously preserved record of the session number in its database. Upon positive validation, the central processing server retrieves the user account record by matching the identification data of the second mobile communication device. The central processing server associates the session number to the user account.
[0041 ] 7. (207) If the login page is served by the central processing server, when the web browser application displaying the login page is refreshed under auto-reload (polling) or manual reload, the login page is re-rendered by the central processing server with visual cue for the user to proceed to the next step of the user authentication.
[0042] If the login page is served by the third party processing server, the third party processing server is notified of the successful association of the session number to the user account by way of the central processing server backend API callback or response, or repeated invocations (polling) of the central processing server backend APIs by the third party processing server. Once the notification is received, when the web browser application displaying the login page is refreshed under auto-reload (polling) or manual reload, the login page is re-rendered by the third party processing server with visual cue for the user to proceed to the next step of the user authentication.
[0043] 8. (208) The user enters his/her security PIN in the user interface of the secure mobile transaction mobile application running in the second mobile communication device. [0044] 9. (209) The second mobile communication device cryptographically encrypts the security PIN and sends the encrypted security PIN along with its identification data to the central processing server.
[0045] 10. (210) The central processing server receives the encrypted security PIN and the identification data of the second mobile communication device; retrieves the user account record by matching the identification data of the second mobile communication device; decrypts the encrypted security PIN and validates the decrypted security PIN against the security PIN stored in the user account record. Upon a possible validation, the user is considered authenticated and the session number is now associated with the user's logon session.
[0046] 11. (211) If the login page is served by the central processing server, when the web browser application displaying the login page is refreshed under auto-reload (polling) or manual reload, the web browser application is redirected to the target protected third party application or protected user interfaces provided by the central processing server.
[0047] If the login page is served by the third party processing server, the third party processing server is notified of the successful user authentication by way of the central processing server backend API callback or response, or repeated invocations (polling) of the central processing server backend APIs by the third party processing server. Once the notification is received, when the web browser application displaying the login page is refreshed under auto-reload (polling) or manual reload, the web browser application is redirected to the target protected third party application or protected user interfaces provided by the central processing server.
[0048] In another embodiment, the central processing server and the second mobile communication device, through the secure mobile transaction mobile application, are configured as such that the security PIN to be provided by the user is optional in the user authentication. Thus, the abovementioned steps 7 to 10 may be opted out, and in this case the user authentication is completed upon the positive validation of the session number and the identification data of the second mobile communication device received by the central processing server.
[0049] The embodiments disclosed herein may be implemented using general purpose or specialized computing devices, mobile communication devices, computer processors, or electronic circuitries including but not limited to digital signal processors (DSP), application specific integrated circuits (ASIC), field programmable gate arrays (FPGA), and other programmable logic devices configured or programmed according to the teachings of the present disclosure. Computer instructions or software codes running in the general purpose or specialized computing devices, mobile communication devices, computer processors, or programmable logic devices can readily be prepared by practitioners skilled in the software or electronic art based on the teachings of the present disclosure.
[0050] In some embodiments, the present invention includes computer storage media having computer instructions or software codes stored therein which can be used to program computers or microprocessors to perform any of the processes of the present invention. The storage media can include, but are not limited to, floppy disks, optical discs, Blu-ray Disc, DVD, CD-ROMs, and magneto-optical disks, ROMs, RAMs, flash memory devices, or any type of media or devices suitable for storing instructions, codes, and/or data.
[0051] Exemplary embodiments of mobile communication devices include, but are not limited to, mobile telephones, mobile telephones with personal computer like capability (commonly referred to as "smartphones"), electronic personal digital assistants (PDAs), portable computers with wired or wireless wide-area-network and/or telecommunication capability such as tablet personal computers and "netbook" personal computers. Examples of mobile communication devices include, but not limited to, the Apple® iPhone®, Google® Nexus™ 10, HTC® One™, Nokia® Lumia™, Samsung® Galaxy™, and Sony® Xpena™.
[0052] The foregoing description of the present invention has been provided for the purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise forms disclosed. Many modifications and variations will be apparent to the practitioner skilled in the art.
[0053] The embodiments were chosen and described in order to best explain the principles of the invention and its practical application, thereby enabling others skilled in the art to understand the invention for various embodiments and with various modifications that are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the following claims and their equivalence.

Claims

Claims;
1. A computer processor implemented method for online user authentication, comprising:
generating an encoded data, by a central processing server, wherein the encoded data is encoded for a data comprising a session number stored in the central processing server;
presenting the encoded data to a user for user authentication;
image-capturing the encoded data, by a mobile communication device equipped with a camera or optical scanner, wherein the mobile communication device is associated with a user account associated with the user, wherein the user account record is stored in the central processing server, and wherein the user account record comprises an identification data of the mobile communication device;
decoding the image-captured encoded data, by the mobile communication device, to extract the session number;
sending, by the mobile communication device, the extracted session number and an identification data of the mobile communication device to the central processing server; and
authenticating the user, by the central processing, by matching the extracted session number and the identification data of the mobile communication device received from the mobile communication to the session number stored in the central processing and the identification data of the mobile communication device in the user account record.
2. The method of claim 1, wherein the encoded data is a quick response (QR) code.
3. The method of claim 1, further comprising: capturing, by the mobile communication device, a security personal identification number (PIN) provided by the user, wherein the user account record further comprises a saved security PIN pre-defined by the user;
sending, by the mobile communication device, the security PIN to the central processing server; and
authenticating the user, by the central processing server, by matching the security PIN received from the mobile communication device with the saved security PIN pre-defined by the user in the user account record in addition to matching the extracted session number and the identification data of the mobile communication device received from the mobile communication to the session number stored in the central processing and the identification data of the mobile communication device in the user account record.
4. The method of claim 1 , wherein the presentation of the encoded data to a user for user authentication is by displaying a login user interface that includes the encoded data on a screen of a client computing device.
5. The method of claim 1, wherein the presentation of the encoded data to a user for user authentication is by presenting a physical media imprinted with the encoded data.
6. A system for online authenticating a user, comprising:
a central processing server configured to:
generate an encoded data, wherein the encoded data is encoded for a data comprising a session number stored in the central processing server; and authenticate the user by matching the extracted session number and an identification data of an mobile communication device received from the mobile communication to the session number stored in the central processing and the identification data of the mobile communication device in an user account record associated with the user;
the mobile communication device, which is equipped with a camera or optical scanner, is configured to:
image-capture the encoded data when the encoded data is presented for user authentication;
decode the image-captured encoded data to extract the session number; and
send the extracted session number and an identification data of the mobile communication device to the central processing server;
wherein the mobile communication device is associated with the user account, wherein the user account record is stored in the central processing server, and wherein the user account record comprises an identification data of the mobile communication device.
7. The system of claim 6, wherein the encoded data is a quick response (QR) code.
8. The system of claim 6, wherein:
the mobile communication device is further configured to:
capture a security personal identification number (PIN) provided by the user, wherein the user account record further comprises a saved security PIN pre-defined by the user; and
send the security PIN to the central processing server; and the central process server is further configured to:
authenticate the user by matching the security PIN received from the mobile communication device with the saved security PIN pre-defined by the user in the user account record in addition to matching the extracted session number and the identification data of the mobile communication device received from the mobile communication to the session number stored in the central processing and the identification data of the mobile communication device in the user account record.
9. The system of claim 6, wherein the presentation of the encoded data for user authentication is by displaying a login user interface that includes the encoded data on a screen of a client computing device.
10. The system of claim 6, wherein the presentation of the encoded data for user authentication is by presenting a physical media imprinted with the encoded.
PCT/CN2014/081588 2013-07-03 2014-07-03 Method and system for authenticating user using out-of-band channel WO2015000425A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP14820320.1A EP3017391A4 (en) 2013-07-03 2014-07-03 Method and system for authenticating user using out-of-band channel
CN201480038231.XA CN105556531A (en) 2013-07-03 2014-07-03 Method and system for authenticating user using out-of-band channel

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201361842386P 2013-07-03 2013-07-03
US61/842,386 2013-07-03

Publications (1)

Publication Number Publication Date
WO2015000425A1 true WO2015000425A1 (en) 2015-01-08

Family

ID=52143120

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/081588 WO2015000425A1 (en) 2013-07-03 2014-07-03 Method and system for authenticating user using out-of-band channel

Country Status (3)

Country Link
EP (1) EP3017391A4 (en)
CN (1) CN105556531A (en)
WO (1) WO2015000425A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618401A (en) * 2015-03-10 2015-05-13 四川省宁潮科技有限公司 Real-name system-based wifi one-key logging method
CN104639566A (en) * 2015-03-10 2015-05-20 四川省宁潮科技有限公司 Transaction authorizing method based on out-of-band identity authentication
GB2591759A (en) * 2020-02-05 2021-08-11 Vst Enterprises Ltd System and process for Validation

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2525930B (en) * 2014-05-09 2018-08-22 Smartglyph Ltd Method of authentication

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102595643A (en) * 2010-11-19 2012-07-18 罗技欧洲股份有限公司 System and method used for connection and pairing of wireless devices
WO2012135563A1 (en) * 2011-03-31 2012-10-04 Sony Mobile Communications Ab System and method for establishing a communication session
CN102939613A (en) * 2010-06-04 2013-02-20 维萨国际服务协会 Payment tokenization apparatuses, methods and systems
US20130167208A1 (en) * 2011-12-22 2013-06-27 Jiazheng Shi Smart Phone Login Using QR Code

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8769784B2 (en) * 2009-11-02 2014-07-08 Authentify, Inc. Secure and efficient authentication using plug-in hardware compatible with desktops, laptops and/or smart mobile communication devices such as iPhones
EP2602735B1 (en) * 2011-12-09 2018-04-04 BlackBerry Limited Secure authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102939613A (en) * 2010-06-04 2013-02-20 维萨国际服务协会 Payment tokenization apparatuses, methods and systems
CN102595643A (en) * 2010-11-19 2012-07-18 罗技欧洲股份有限公司 System and method used for connection and pairing of wireless devices
WO2012135563A1 (en) * 2011-03-31 2012-10-04 Sony Mobile Communications Ab System and method for establishing a communication session
US20130167208A1 (en) * 2011-12-22 2013-06-27 Jiazheng Shi Smart Phone Login Using QR Code

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3017391A4 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104618401A (en) * 2015-03-10 2015-05-13 四川省宁潮科技有限公司 Real-name system-based wifi one-key logging method
CN104639566A (en) * 2015-03-10 2015-05-20 四川省宁潮科技有限公司 Transaction authorizing method based on out-of-band identity authentication
GB2591759A (en) * 2020-02-05 2021-08-11 Vst Enterprises Ltd System and process for Validation

Also Published As

Publication number Publication date
EP3017391A4 (en) 2016-12-28
EP3017391A1 (en) 2016-05-11
CN105556531A (en) 2016-05-04

Similar Documents

Publication Publication Date Title
US20140317713A1 (en) Method and System of User Authentication Using an Out-of-band Channel
US12081545B2 (en) Out-of-band authentication to access web-service with indication of physical access to client device
US11743041B2 (en) Technologies for private key recovery in distributed ledger systems
US20220191016A1 (en) Methods, apparatuses, and computer program products for frictionless electronic signature management
JP6548667B2 (en) Method, apparatus and system for providing security checks
ES2951585T3 (en) Transaction authentication using a mobile device identifier
US9710634B2 (en) User-convenient authentication method and apparatus using a mobile authentication application
US10552823B1 (en) System and method for authentication of a mobile device
EP3407565B1 (en) Device authentication
US8661254B1 (en) Authentication of a client using a mobile device and an optical link
WO2016155497A1 (en) User authentication method and device, and wearable device registration method and device
JP6538872B2 (en) Common identification data replacement system and method
JP7412725B2 (en) Authentication method and authentication device
UA113415C2 (en) METHOD, SERVER AND PERSONAL AUTHENTICATION SYSTEM
KR20180013710A (en) Public key infrastructure based service authentication method and system
US20180262471A1 (en) Identity verification and authentication method and system
EP3017391A1 (en) Method and system for authenticating user using out-of-band channel
CN108092764B (en) Password management method and equipment and device with storage function
WO2023056352A1 (en) Anonymous authentication systems for obscuring authentication information
US20150350170A1 (en) Secure authentication of mobile users with no connectivity between authentication service and requesting entity
KR20180034199A (en) Unified login method and system based on single sign on service
JP2019526141A (en) Providing access to structured stored data
WO2016013924A1 (en) System and method of mutual authentication using barcode
US11888844B2 (en) Electrical circuit testing device and method
EP2763346B1 (en) Mutual anti-piracy authentication system in smartphone-type software tokens and in the sms thereof

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201480038231.X

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14820320

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2014820320

Country of ref document: EP