WO2015033061A1 - Method for authenticating a transaction - Google Patents

Method for authenticating a transaction Download PDF

Info

Publication number
WO2015033061A1
WO2015033061A1 PCT/FR2014/052176 FR2014052176W WO2015033061A1 WO 2015033061 A1 WO2015033061 A1 WO 2015033061A1 FR 2014052176 W FR2014052176 W FR 2014052176W WO 2015033061 A1 WO2015033061 A1 WO 2015033061A1
Authority
WO
WIPO (PCT)
Prior art keywords
sonic
authentication server
ultrasonic
message
mobile
Prior art date
Application number
PCT/FR2014/052176
Other languages
French (fr)
Inventor
Emmanuel Ruiz
Original Assignee
Emmanuel Ruiz
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from FR1358428A external-priority patent/FR3010214B1/en
Priority claimed from FR1456157A external-priority patent/FR3023115B1/en
Application filed by Emmanuel Ruiz filed Critical Emmanuel Ruiz
Publication of WO2015033061A1 publication Critical patent/WO2015033061A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification

Definitions

  • the present invention aims at a method of authentication between two users for data transfer method. It aims more precisely a so-called strong authentication method, without contact in the near field, in particular for remote payment method.
  • server generally refers to the computer function of making data and / or computer resources available to humans and / or machines, these resources being accessible via least one communication network (telecommunication network and / or computer network).
  • a server may be physically constituted of any computer system, including a single computer or a plurality of computers connected in a network or grid.
  • mobile and its derivatives applied to a terminal designates the fact that the latter is portable and adapted to be able to operate wirelessly with an external environment, in particular to communicate with a network.
  • user denotes a human using at least a part of a process according to the invention.
  • the term "transaction” generally refers to any operation that may occur between users subject at least to an authentication by at least one secure server. It can in particular be a financial transaction (including bank transaction such as a transfer); a commercial transaction (including a payment transaction during a purchase); a legal or contractual transaction (proof of an agreement given on an agreement, for example when accessing a network or when downloading or using software); a technical transaction (for example configuration of access to a network (for example telecommunications and / or computer) for an identified user).
  • a financial transaction including bank transaction such as a transfer
  • a commercial transaction including a payment transaction during a purchase
  • a legal or contractual transaction proof of an agreement given on an agreement, for example when accessing a network or when downloading or using software
  • a technical transaction for example configuration of access to a network (for example telecommunications and / or computer) for an identified user).
  • audio and “acoustics” generally refer to sounds and sound waves, that is to say both to sounds audible to the human ear, and to ultrasound.
  • the expression “sonic and / or ultrasonic message” refers to any continuous transmission of signal uninterrupted acoustics in a time interval at the beginning of which the acoustic signal begins and at the end of which the acoustic signal stops.
  • the terms “sonic” and “sound” are supposed to be synonymous.
  • ultrasound and “ultrasound” are supposed to be synonymous.
  • coded and its derivatives applied to a message refer to the fact that this message contains a code that can not be detected by a human by the mere knowledge of the message. A coded acoustic message is therefore unintelligible.
  • decode and its derivatives, applied to an encoded message, refer to the fact of extracting the code transmitted by the coded message.
  • Encrypted and its derivatives refer to the fact that a signal, a set of data, a message or a code has been encrypted so that it is not understandable man or by a machine not having a decryption method for recovering the signal, the data set, the message or the code.
  • one of the most commonly used to date is the method in which, once a transaction is performed and the payment required online by the user on an e-commerce site, said user receives from his bank a code in the form of SMS on his mobile phone, and must enter this code on the payment user interface of his transaction to authenticate it.
  • the fact that the person carrying out the transaction has the mobile phone of the holder of the bank account is considered as sufficient proof of the identity of this holder.
  • NFC Near Field Communication
  • US 201 1/258121 discloses a method and apparatus for enabling an automatic payment in which the equipment of the user wishing to make the payment generates and issues an audio token, the merchant's equipment picks up that audio token, the decodes and transmits a payment authorization request to a remote host center.
  • the audio token generated by the user equipment may incorporate a password that has been previously transmitted to it by the remote server center.
  • the invention therefore relates to a method of transaction authentication between two users of said method, a first user being provided with a first mobile terminal, a second user being provided with a second mobile terminal, at least one of these mobile terminals comprising means for transmitting an audio band signal, and at least the other mobile terminal having means for receiving an audio signal, said method comprising steps in which:
  • a one-time password is generated by an authentication server at the request of one of the two users, said one-time password is transmitted, via a communication network, to a mobile terminal associated with one of the users,
  • said one-time password is coded in the form of at least one sonic and / or ultrasonic message comprising at least part of the single-use password coded in the form of sounds and / or ultrasound in a band of frequencies compatible with reception by a mobile phone,
  • each sonic and / or ultrasonic message is transmitted by a mobile terminal and listened to by the other mobile terminal,
  • each sonic and / or ultrasonic message received by a mobile terminal is retransmitted by the mobile terminal to the authentication server for comparison with an expected message and for validation,
  • the one-time password is cut into at least two segments sent to at least one of the mobile terminals,
  • the sonic and / or ultrasonic messages corresponding to the one-time password segments are exchanged sonically and / or ultrasonically between the mobile terminals,
  • the authentication server receives the sonic and / or ultrasonic messages corresponding to the one-time password segments from the mobile terminals, decodes them to extract the segments thereof, and compares the message once reconstituted with said word of passes for single use for validation.
  • the authentication server cuts the one-time password in at least two segments (generally more than two segments) and sends these segments to at least one of the mobile terminals.
  • at least part of the one-time password is cut into at least two segments (usually more than two segments) by at least one of the terminals. (transmitter of sonic messages and / or ultrasonics corresponding at least to these segments).
  • each segment may or may not be encrypted.
  • At least a portion of the segments of the one-time password is encoded into sonic and / or ultrasonic messages at the authentication server before transmission to the mobile terminals.
  • at least a portion of the one-time password segments are encoded into sonic and / or ultrasonic messages at at least one mobile terminal.
  • the authentication server sends at least one segment (generally several segments) of the word one-way password to one of the mobile terminals, and at least one other segment (generally multiple segments) of the one-time password to the other of the mobile terminals:
  • the mobile terminals transmit sonic and / or ultrasonic messages corresponding to each password segment that they have received from the authentication server,
  • the mobile terminals listen to said sonic and / or ultrasonic messages and transmit them to the authentication server,
  • the authentication server receives the sonic and / or ultrasonic messages from the mobile terminals, decodes them to extract the segments and reconstruct a message with these segments, and compares the reconstituted message with the said one-time password for validation.
  • a method according to the invention comprises a step of verifying and validating the sonic and / or ultrasonic communication channels between the two mobile terminals before sending said segments to the mobile terminals.
  • the invention thus relates in particular to a method of transaction authentication between two users of said method (said client and merchant), a first user being provided with a first mobile terminal, a second user having a second mobile terminal, at least one of these mobile terminals having means for transmitting an audio band signal, and at least the other mobile terminal having means for receiving an audio band signal.
  • Acoustic waves are therefore used to exchange information between the two devices in a secure manner.
  • the method comprises steps in which:
  • an authentication message is generated by an authentication server at the request of one of the two users,
  • said authentication message is transmitted, via a communication network, to a mobile terminal associated with one of the users,
  • said authentication message is encoded in the form of a sonic and / or ultrasonic message comprising at least part of the message coded in the form of sounds or ultrasound in the frequency band compatible with reception by a conventional mobile telephone,
  • said sonic and / or ultrasonic message is transmitted by said mobile terminal and listened to by the other mobile terminal, associated with the other user,
  • the received sonic and / or ultrasonic message is retransmitted by the second mobile terminal to the authentication server for comparison with the expected message and for validation.
  • the authentication process includes two security factors: the first is the user name and PIN code, which guarantees the identity of the user, and the second is a sonic and / or ultrasonic code that guarantees the user's identity. proximity and possession of the devices involved in the transaction. This is a near field authentication.
  • the transformation of the authentication message into sonic and / or ultrasonic message is performed at the authentication server before transmission to the mobile terminal
  • the authentication server is then for example IVR type ("Interactive Voice Response server").
  • the transformation (coding and possibly scrambling) of the message authentication message sonic and / or ultrasonic is performed at the mobile terminal.
  • the authentication message is of the one-time-only (OTP) type, specific to each transaction to be signed. This provision ensures increased security of the transaction.
  • the method includes a step of verifying and validating the sonic and / or ultrasonic communication channels between the two mobile terminals.
  • the method adapts to existing conditions at the merchant and customer level, and optimizes the strength of authentication based on these available communication channels. In particular, it is able to use the ultrasonic capabilities of the terminals, if they have them.
  • a first mobile terminal said "payment terminal of the merchant” is assumed to have means for listening to a sonic and / or ultrasonic message and retransmit it to a server called "server of authentication ", and a second mobile terminal, mobile phone type, called” mobile phone of the client ", is supposed to have a software application adapted to transform (coding and possibly scrambling) a message received from the authentication server, the method includes the following steps:
  • step 301 the merchant's payment terminal issues a transaction authorization request to the authentication server
  • step 302 the authentication server checks the sonic and / or ultrasonic communication means existing between the merchant's payment terminal and the customer's mobile phone,
  • step 303 in the case where the two terminals are capable of sending and receiving sonic and / or ultrasonic messages, the authentication server obtains or generates a one-time password, and then cuts this password. in at least two segments (generally more than two segments), and sends at least one segment (including some of these segments) to the payment terminal, and at least one other segment (including the other segments) to the customer's mobile phone, at least a part of these segments of the one-time password being transformed (coded and possibly scrambled and / or encrypted) by the payment terminal or the mobile telephone into sonic and / or ultrasonic messages in a band frequency compatible with the means of transmission of said payment terminal and with the receiving means of a mobile phone,
  • the payment terminal and the mobile telephone transmit the sonic and / or ultrasonic messages corresponding to the password segments that they have received from the authentication server,
  • step 304 the customer's mobile telephone and the payment terminal listen to said sonic and / or ultrasonic messages and record them, then transmit these records to the authentication server,
  • step 305 the authentication server receives the records of the sonic and / or ultrasonic messages from the mobile phone of the customer and the payment terminal, decodes these sonic and / or ultrasonic messages to extract the segments, and compares this message restored with the original password for validation.
  • the second mobile terminal of the mobile phone type, called “mobile phone of the client"
  • the second mobile terminal is supposed to have a software application adapted to transform a message received from a server associated with the authentication generator, said “authentication server”, sonic message and / or ultrasonic optionally having undergone a deliberate distortion (jamming), the first mobile terminal, said “merchant payment terminal” being provided with means to listen to a sonic message and / or ultrasonic and retransmit to the authentication server and provided with means to generate a one-time password
  • the method comprises in particular the following steps:
  • step 401 the merchant's payment terminal issues a transaction authorization request to the authentication server and initiates the transaction
  • step 402 the payment terminal checks the sonic and / or ultrasonic communication means existing between the merchant's payment terminal and the customer's mobile phone,
  • step 403 in the favorable case, the payment terminal cuts the password generated by the authentication server in at least two segments, sends at least one segment (including some of these segments) to the mobile phone of the client by the intermediary of the authentication server, and at least one other segment (especially the other segments) by sonic and / or ultrasonic means,
  • step 404 the customer's mobile telephone listens for the sonic and / or ultrasonic message received from the payment terminal and saves it, then transmits this registration to the payment terminal via said authentication server,
  • step 405 the payment terminal receives the information from the mobile phone of the customer, extracts the original message, and compares this message once reconstituted with the original password.
  • step 404 the transmission of the record and the received message segment is performed through the authentication server.
  • step 404 at least part of the record and each received message segment is sent in sonic and / or ultrasonic form by the customer's mobile phone to the payment terminal.
  • the single-use authentication message provided by the authentication server is encoded by the authentication server itself in the form of a sonic and / or ultrasonic message, the authentication server being in contact with the authentication server.
  • a VoIP (Voice over IP) type of server that is to say capable of generating telephone calls and signals in a sonic and / or ultrasonic frequency band.
  • the invention aims in a second aspect a payment terminal, a mobile phone or an authentication server, implementing a method according to the invention.
  • Figure 1 a diagram of the elements implemented in the process
  • FIG. 2 a diagram of the steps of the method in a first mode of implementation
  • FIG. 3 a diagram of the process steps in a variant of this first mode of implementation
  • FIG. 4 a diagram of the process steps in a second mode of implementation
  • Figure 5 a diagram of the process steps in a third mode of implementation.
  • the invention finds its place in the context of a transaction between a first user 10 called a merchant in the rest of the description, and a second user 1 1 called client in the following description.
  • the merchant 10 is assumed to have a payment terminal 12 comprising communication means, via a network 14, for example of the GSM type, with an authentication server 13 capable of providing transaction authorizations.
  • the payment terminal 12 of the merchant 10 is also assumed to have a loudspeaker adapted to emit a sonic and / or ultrasonic message in a band compatible with the transmission and / or transmission frequency band. receiving a mobile phone.
  • the client 1 1 is assumed to have a mobile terminal 15 of the mobile phone or tablet or TPE or cash register type, equipped with communication means via a communications network 14, for example GSM, with various remote services.
  • This mobile phone 15 naturally includes a microphone capable of receiving an audio signal and a loudspeaker for transmitting an audio signal, in a frequency band comprising the frequency band audible by the human ear and possibly the ultrasonic band.
  • the invention is intended to be implemented in software form.
  • at least one software is installed in the authentication server 13, and at least one software is installed in the payment terminal 12 of the merchant 10.
  • at least one software is also installed in the mobile phone 15 of the client 1 1, in the form for example of smartphone application (ordiphone) type "apps".
  • the transaction authentication method comprises five main steps, to validate a payment made by the customer 1 1 at the merchant 10.
  • the mobile phone 15 of the client 1 1 is assumed to have a software application adapted to transform (encode and possibly scramble) all or part of ⁇ sent by the authentication server 13, in sonic message and / or ultrasonic.
  • the authentication server 13 is the one that generates the one-time password (OTP).
  • the payment terminal 12 is assumed to have means for listening to a sonic and / or ultrasonic message and retransmitting it to the authentication server 13.
  • a first step 301 the payment terminal 12 of the merchant 10 issues a transaction authorization request to the authentication server 13.
  • the authentication server 13 verifies and validates the sonic and / or ultrasonic communication channels between the two mobile terminals 12, 15 before sending the said segments to the mobile terminals.
  • the authentication server 13 checks the existing communication means between the payment terminal 12 of the merchant 10 and the mobile phone 15 of the client 11. This step consists in verifying which of the two terminals 12, 15 are capable of transmitting and / or receiving sonic and / or ultrasonic messages.
  • the authentication server transmits sounds and / or ultrasounds via the TCP / IP communication network to the payment terminal 12 of the merchant. and via the mobile telephone network, here GSM, to the mobile phone 15 of the customer 1 1, to recognize the channels communication audio available between the payment terminal 12 and the mobile phone 15.
  • the sonic and / or ultrasonic acoustic messages received by the speaker of the payment terminal are retransmitted to the authentication server via the same network. The same is true of sonic and / or ultrasonic acoustic messages received by the speaker of the mobile terminal.
  • the server analyzes these messages and thus determines the possible audio communication paths between the payment terminal 12 and the mobile phone 15, that is to say, concretely between the speaker of the payment terminal 12 and the microphone of the mobile phone 15, and / or between the speaker of the mobile phone 15 and the microphone of the payment terminal 12.
  • the authentication server 13 When determining the possible communication paths, the authentication server 13 also tests the capacity of each of the mobile terminals for sending and receiving messages in the sound and / or ultrasound domain. In this way, the system can best utilize the capabilities of each group of two terminals, including adapting to older mobile phones, which do not have ultrasonic capability.
  • the test can be performed during each transaction, the method can also be adapted to variations in the time of the capabilities of mobile terminals, or to difficult sound environment conditions (external noise, etc.).
  • the coding of the message is advantageously carried out in the frequencies best received by the mobile terminals and / or the less noisy.
  • steps 303 'to 306' In the case where the payment terminal 12 is not able to listen to acoustic signals, the method is detailed below (steps 303 'to 306').
  • the authentication server 13 In the case where the two terminals 12, 15 are capable of transmitting and receiving sonic and / or ultrasonic messages, in a step 303, the authentication server 13 generates a one-time password. Alternatively, the authentication server 13 does not itself generate this one-time password, but receives it from a password management service, possibly remote. This password management service is then adapted to generate a one-time password, and to authenticate such a password when it is received.
  • the authentication server 13 then cuts this password into segments randomly, and sends some of these segments to the payment terminal 12, and the other segments to the mobile phone 15 of the customer.
  • the password is cut into two segments of possibly different lengths. In a variant, it is split into multiple segments.
  • each of these segments of the one-time password is transformed by the payment terminal 12 and the mobile telephone 15 into sonic and / or ultrasonic messages in the frequency band compatible with the transmission means of said payment terminal 12 and with the means of receiving a mobile phone.
  • the payment terminal 12 and the mobile telephone 15 transmit the sonic and / or ultrasonic messages corresponding to the password segments that they have received from the authentication server 13.
  • a step 304 the mobile phone 15 of the client 11, and the payment terminal 12 listen to said sonic and / or ultrasonic messages and record them, then transmit these records to the authentication server 13.
  • the authentication server 13 receives the records of the sonic and / or ultrasonic messages from the mobile phone 15 of the customer 12 and the payment terminal 12 of the merchant 10.
  • the authentication server 13 transforms these sonic and / or ultrasonic messages in a reverse manner to extract the segments of the original message, and compares this message once reconstituted with the original password.
  • the authentication server 13 then notifies the customer 1 1 via his mobile phone 15 and the merchant 10 via his payment terminal 12 the success or failure of the signature of the transaction.
  • the entire password is sent to the mobile phone 15 of the customer 1 1.
  • 11 is then sent in sonic and / or ultrasonic form and received by the payment terminal 12, which sends it to the authentication server 13 via the TCP / IP network for validation.
  • This is then an implementation mode similar to the first implementation of the method, as described above, by reversing the roles of the payment terminal 12 and the mobile phone 15.
  • step 302 of determination by the authentication server possible audio communication channels between the payment terminal 12 and the mobile phone 15, when the payment terminal is only able to issue sonic and / or ultrasonic messages , but not to receive them, the method comprises, in a nonlimiting example of implementation, the following steps (see Figure 3).
  • the authentication server 13 In a step 303 ', the authentication server 13 generates such a one-time password. Alternatively, the authentication server 13 does not itself generate this one-time password, but receives it from a password management service, possibly remote. This password management service is then adapted to generate a one-time password, and to authenticate such a password when it is received.
  • the one-time password is sent to the payment terminal 12 of the merchant 10, and transformed by said payment terminal sonic and / or ultrasonic message in the frequency band compatible with the transmission means of said payment terminal 12 and with the receiving means of a mobile phone.
  • This is a message comprising at least a coded part in the form of sounds and / or ultrasound, not audible or audible by the man but entering the frequency band received correctly by a mobile phone.
  • the authentication server calls the mobile phone 15 of the client 1 1, which picks up, so as to be ready to receive the sonic message.
  • a step 304 ' the payment terminal 12 transmits the sonic message via its speaker.
  • a step 305 ' the mobile phone 15 of the client 1 1 listens to said sonic message by its microphone, and records it, then transmits it to the authentication server 13.
  • the authentication server 13 receives the recording of the sonic message from the mobile phone 15 of the client 12, transforms it in a reverse manner to extract the original message, and compares this message with the message sent to the payment terminal 12 at the merchant 1 1. The authentication server 13 then notifies the customer 1 1 via his mobile phone 15 and the merchant 10 via his payment terminal 12 the success or failure of the signature of the transaction.
  • the transaction authentication method also comprises five main steps, to validate a payment made by the customer 11 at the merchant 10.
  • the mobile phone 15 of the client 1 1 is still assumed to have a software application adapted to transform or scramble an OTP received from the authentication server 13 in sonic and / or ultrasonic message.
  • the payment terminal 12 is still assumed to have means to listen to a sonic and / or ultrasonic message and retransmit it to the authentication server 13. It is also assumed here endowed means to transform (encode and possibly scramble) a one-time password.
  • a first step 401 the payment terminal 12 of the merchant 10 issues a transaction authorization request to the authentication server 13 and initiates the transaction.
  • the payment terminal 12 checks and validates the communication means existing between the payment terminal 12 of the merchant 10 and the mobile phone 15 of the customer 11. This step consists in verifying whether the two terminals 12, 15 are capable of transmitting and receiving sonic and / or ultrasonic messages, and to specify in which acoustic frequency bands they are able to communicate in transmission and reception, and possibly which are the most effective bands.
  • the payment terminal 12 in a step 403, the payment terminal 12 generates a one-time password. The payment terminal 12 then cuts this password in segments randomly, and sends to the mobile phone 15 of the client 11 some of these segments via the authentication server 13, and the other segments by sonic and / or ultrasonic to the client 1 1.
  • the password is cut into two segments of possibly different lengths. In a variant, it is split into multiple segments.
  • a step 404 the mobile phone 15 of the client 11 listens to the sonic and / or ultrasonic message received from the payment terminal and records it, then transmits this record and the message segment received via the authentication server. 13 to the payment terminal 12 via said authentication server 13.
  • this information is transmitted in sonic and / or ultrasonic form by the mobile phone 15 of the customer 1 1 to the payment terminal 12.
  • the payment terminal 12 receives the information from the mobile phone 15 of the customer 1 1, extracts the original message, and compares this message once reconstituted with the original password.
  • the payment terminal 12 then notifies the mobile phone 15 of the client 1 1 via the authentication server 13 the success or failure of the signature of the transaction.
  • the transaction authentication method relates to a case where neither the mobile phone 15 of the client 1 1 nor the payment terminal 12 have specific applications for implement the process. In this way, the method is very easily usable, including by persons wishing to carry out a transaction and not equipped with specific applications.
  • the authentication server 13 is, for its part, associated with an IVR server server ("Interactive Voice Response"), able to generate and receive sound messages.
  • the payment terminal 12 is still assumed to have means for listening to a sonic message and retransmitting it to the authentication server 13. It may be a mobile phone .
  • a first step 501 the payment terminal 12 of the merchant 10 calls the authentication server 13.
  • a step 502 it issues a transaction authorization request by sending its payment terminal identifier, the customer's telephone number and the amount of the transaction to be made.
  • the authentication server 13 checks the received data, and calls the customer's mobile phone number.
  • the authentication server 13 generates a one-time password splits it into segments, and encodes these segments into sonic messages.
  • a step 504 the customer enters a validation code (of the credit card pin code type) on his mobile phone 15 which sends this data to the authentication server 13.
  • a step 505 the payment terminal 12 and the mobile telephone 15 are brought together and the ground word coded in the form of sonic messages by the authentication server of type IVR is transmitted to these terminals, which exchange these sonic messages with each other. by sonic voice.
  • the authentication server 13 receives each sonic message as audio received by each terminal and retransmitted to the authentication server 13.
  • the authentication server 13 then notifies in a step 506 to the client 1 1 via its mobile phone 15 and the payment terminal 12 the success or failure of the signature of the transaction.
  • the server verifies and validates the communication means, in a manner similar to that described for the first implementation,
  • the server splits the sonic password into multiple segments and sends them on the various validated communication channels, in a manner similar to that described for the second implementation of the method.
  • the server splits the sonic password into multiple segments and sends them on the various validated communication channels, in a manner similar to that described for the second implementation of the method.
  • each mobile terminal is chosen from the group consisting of mobile telephones (portable or portable satellite phones), smartphones (portable computer cellular phones, so-called “smartphones” in English), computer touch tablets.
  • portable computers laptops, electronic payment terminals (EPTs).
  • EPTs electronic payment terminals
  • the invention makes it possible to secure and authenticate communication between extremely simple mobile terminals, in particular when at least one of them is a simple GSM-type portable mobile telephone (and not an ordiphone (mobile phone (cell phone) computer (equipped with digital data processing means)), or when all the terminals are simple mobile cellular mobile phones type GSM, the invention thus makes it possible to secure and to authenticate communications in regions of the world that are not (or little) equipped with computers and networks (UMTS, LTE, 3G, 4G ...) allowing the exploitation of these devices.

Abstract

The invention relates to a method for authenticating a transaction between two users of said method, comprising the following steps: a one-time password is generated by an authentication server (13) at the request of one of the two users; the one-time password is split into at least two segments sent to at least one (12) of the mobile terminals; the sonic and/or ultrasonic messages corresponding to the one-time password segments are exchanged sonically and/or ultrasonically between the mobile terminals (12, 15); and the authentication server (13) receives the sonic and/or ultrasonic messages, decodes same in order to extract the segments therefrom, and compares the message once reconstituted with said one-time password for validation.

Description

PROCÉDÉ D'AUTHENTIFICATION DE TRANSACTION  TRANSACTION AUTHENTICATION METHOD
La présente invention vise un procédé d'authentification entre deux utilisateurs pour procédé de transfert de données. Elle vise plus précisément un procédé d'authentification dite forte, sans contact en champ proche, notamment pour procédé de paiement à distance.  The present invention aims at a method of authentication between two users for data transfer method. It aims more precisely a so-called strong authentication method, without contact in the near field, in particular for remote payment method.
Elle relève du domaine des procédés de transmission de données de manière sécurisée.  It falls within the field of secure data transmission methods.
Dans tout le texte, le terme « serveur » désigne de façon générale la fonction informatique consistant à mettre des données et/ou des ressources informatiques à disposition d'humains et/ou de machines, ces ressources étant accessibles par l'intermédiaire d'au moins un réseau de communication (réseau de télécommunication et/ou réseau informatique). Ainsi, un serveur peut être matériellement constitué de tout système informatique, y compris un unique ordinateur ou une pluralité d'ordinateurs reliés selon un réseau ou une grille. Le terme « mobile » et ses dérivés appliqués à un terminal désigne le fait que ce dernier est portatif et adapté pour pouvoir fonctionner sans fil de liaison avec un environnement externe, notamment pour communiquer avec un réseau. Le terme « utilisateur » désigne un humain utilisant au moins pour partie un procédé selon l'invention.  Throughout the text, the term "server" generally refers to the computer function of making data and / or computer resources available to humans and / or machines, these resources being accessible via least one communication network (telecommunication network and / or computer network). Thus, a server may be physically constituted of any computer system, including a single computer or a plurality of computers connected in a network or grid. The term "mobile" and its derivatives applied to a terminal designates the fact that the latter is portable and adapted to be able to operate wirelessly with an external environment, in particular to communicate with a network. The term "user" denotes a human using at least a part of a process according to the invention.
En outre, le terme « transaction » désigne de façon générale toute opération pouvant intervenir entre des utilisateurs soumise au moins à une authentification par au moins un serveur sécurisé. Il peut en particulier s'agir d'une transaction financière (notamment transaction bancaire telle qu'un virement) ; d'une transaction commerciale (notamment transaction de paiement lors d'un achat) ; d'une transaction juridique ou contractuelle (preuve d'un accord donné sur une convention, par exemple lors d'un accès à un réseau ou lors du téléchargement ou de l'utilisation d'un logiciel) ; d'une transaction technique (par exemple configuration d'un accès à un réseau (par exemple de télécommunications et/ou informatique) pour un utilisateur identifié).  In addition, the term "transaction" generally refers to any operation that may occur between users subject at least to an authentication by at least one secure server. It can in particular be a financial transaction (including bank transaction such as a transfer); a commercial transaction (including a payment transaction during a purchase); a legal or contractual transaction (proof of an agreement given on an agreement, for example when accessing a network or when downloading or using software); a technical transaction (for example configuration of access to a network (for example telecommunications and / or computer) for an identified user).
Par ailleurs, les termes « audio » et « acoustique» se réfèrent de façon générale aux sons et aux ondes sonores, c'est-à-dire aussi bien aux sons audibles pour l'oreille humaine, qu'aux ultrasons. L'expression « message sonique et/ou ultrasonique » désigne toute émission continue de signal acoustique ininterrompu dans un intervalle de temps au début duquel le signal acoustique commence et à la fin duquel le signal acoustique s'arrête. Les termes « sonique » et « sonore » sont supposés être synonymes. Les termes « ultrasonique » et « ultrasonore » sont supposés être synonymes. Moreover, the terms "audio" and "acoustics" generally refer to sounds and sound waves, that is to say both to sounds audible to the human ear, and to ultrasound. The expression "sonic and / or ultrasonic message" refers to any continuous transmission of signal uninterrupted acoustics in a time interval at the beginning of which the acoustic signal begins and at the end of which the acoustic signal stops. The terms "sonic" and "sound" are supposed to be synonymous. The terms "ultrasound" and "ultrasound" are supposed to be synonymous.
Le terme « codé » et ses dérivés appliqués à un message désignent le fait que ce message contient un code qui ne peut pas être décelé par un humain par la seule connaissance du message. Un message acoustique codé est donc inintelligible. Le terme « décoder » et ses dérivés, appliqués à un message codé, désignent le fait d'extraire le code transmis par le message codé. L'expression « cryptée » et ses dérivés désignent le fait qu'un signal, un ensemble de données, un message ou un code a fait l'objet d'un procédé de cryptage de telle sorte qu'il n'est compréhensible ni par l'homme ni par une machine ne possédant pas un procédé de décryptage permettant de récupérer le signal, l'ensemble de données, le message ou le code.  The term "coded" and its derivatives applied to a message refer to the fact that this message contains a code that can not be detected by a human by the mere knowledge of the message. A coded acoustic message is therefore unintelligible. The term "decode" and its derivatives, applied to an encoded message, refer to the fact of extracting the code transmitted by the coded message. The term "encrypted" and its derivatives refer to the fact that a signal, a set of data, a message or a code has been encrypted so that it is not understandable man or by a machine not having a decryption method for recovering the signal, the data set, the message or the code.
Préambule et art antérieur  Preamble and prior art
On connaît déjà divers procédés d'authentification d'un utilisateur lors d'une transaction de type paiement par carte de crédit, par exemple durant un achat sur un site de e-commerce.  Various methods of authenticating a user are already known during a credit card type transaction, for example during a purchase on an e-commerce site.
Parmi ces procédés, un des plus couramment utilisés à ce jour est le procédé dans lequel, une fois une transaction effectuée et le paiement requis en ligne par l'utilisateur sur un site de e-commerce, ledit utilisateur reçoit de la part de sa banque un code sous forme de SMS sur son téléphone mobile, et doit entrer ce code sur l'interface utilisateur de paiement de sa transaction pour authentifier celle-ci. Le fait que la personne effectuant la transaction dispose du téléphone mobile du titulaire du compte bancaire est considéré comme une preuve suffisante de l'identité de ce titulaire.  Among these methods, one of the most commonly used to date is the method in which, once a transaction is performed and the payment required online by the user on an e-commerce site, said user receives from his bank a code in the form of SMS on his mobile phone, and must enter this code on the payment user interface of his transaction to authenticate it. The fact that the person carrying out the transaction has the mobile phone of the holder of the bank account is considered as sufficient proof of the identity of this holder.
De même, lors d'un paiement dans un magasin par carte de crédit, il est courant que l'utilisateur vienne entrer son code secret sur un terminal de paiement pour valider sa transaction. Cette signature par entrée du code secret a cependant l'inconvénient du manque de sécurité engendré par la frappe du code devant d'autres personnes.  Similarly, when paying in a store by credit card, it is common for the user to enter his PIN on a payment terminal to validate his transaction. This signature by entering the secret code has however the disadvantage of the lack of security generated by the typing of the code in front of other people.
D'autres méthodes ont été envisagées pour pallier cet inconvénient, notamment par utilisation de e-carte de crédit, c'est-à-dire d'une carte de crédit à usage unique, dont les données (dites OTP pour "One Time Password") sont générées à la demande de l'utilisateur pour un usage lors d'un unique achat. Other methods have been considered to overcome this disadvantage, in particular by use of e-credit card, that is to say a credit card single-use, whose data (called OTP for "One Time Password") is generated at the request of the user for use in a single purchase.
On connaît encore la technologie des paiements par téléphones équipés pour le procédé de communication en champ proche (en anglais "Near Field Communication", d'où l'acronyme NFC). Dans cette technologie, un terminal émet à très courte distance (1 à 10 cm typiquement) un message haute fréquence électromagnétique vers un terminal récepteur pour transmettre une information de signature électronique.  There is still known technology of telephone payments equipped for the near field communication process (in English "Near Field Communication", hence the acronym NFC). In this technology, a terminal transmits at a very short distance (typically 1 to 10 cm) an electromagnetic high frequency message to a receiving terminal for transmitting electronic signature information.
Mais, à ce jour, seuls 3 à 5 % des téléphones mobiles sont compatibles avec la technologie NFC, ce qui limite l'utilisation d'authentification par ce moyen, et restreint, pour des raisons de coût, ses chances de généralisation auprès des commerçants ou clients.  But, to date, only 3 to 5% of mobile phones are compatible with NFC technology, which limits the use of authentication by this means, and restricted, for cost reasons, its chances of generalization with merchants or customers.
US 201 1 /258121 (D1 ) décrit un procédé et un appareil pour permettre un paiement automatique dans lequel l'équipement de l'utilisateur souhaitant effectuer le paiement génère et émet un jeton audio, l'équipement du commerçant capte ce jeton audio, le décode et transmet une requête d'autorisation de paiement à un centre serveur distant. Le jeton audio généré par l'équipement utilisateur peut incorporer un mot de passe qui lui a été préalablement transmis par le centre serveur distant.  US 201 1/258121 (D1) discloses a method and apparatus for enabling an automatic payment in which the equipment of the user wishing to make the payment generates and issues an audio token, the merchant's equipment picks up that audio token, the decodes and transmits a payment authorization request to a remote host center. The audio token generated by the user equipment may incorporate a password that has been previously transmitted to it by the remote server center.
Ces différents procédés sont complexes ou manquent de sécurité pour l'utilisateur.  These different processes are complex or lack security for the user.
Exposé de l'invention  Presentation of the invention
L'invention concerne donc un procédé d'authentification de transaction entre deux utilisateurs dudit procédé, un premier utilisateur étant doté d'un premier terminal mobile, un second utilisateur étant doté d'un second terminal mobile, au moins un de ces terminaux mobiles comportant des moyens d'émettre un signal en bande audio, et au moins l'autre terminal mobile comportant des moyens de recevoir un signal audio, ledit procédé comportant des étapes dans lesquelles :  The invention therefore relates to a method of transaction authentication between two users of said method, a first user being provided with a first mobile terminal, a second user being provided with a second mobile terminal, at least one of these mobile terminals comprising means for transmitting an audio band signal, and at least the other mobile terminal having means for receiving an audio signal, said method comprising steps in which:
- un mot de passe à usage unique est généré par un serveur d'authentification à la demande d'un des deux utilisateurs, - ledit mot de passe à usage unique est transmis, via un réseau de communication, à destination d'un terminal mobile associé à un des utilisateurs, a one-time password is generated by an authentication server at the request of one of the two users, said one-time password is transmitted, via a communication network, to a mobile terminal associated with one of the users,
- ledit mot de passe à usage unique est codé sous forme d'au moins un message sonique et/ou ultrasonique comportant au moins une partie du mot de passe à usage unique codée sous forme de sons et/ou d'ultrasons dans une bande de fréquences compatible avec une réception par un téléphone mobile,  said one-time password is coded in the form of at least one sonic and / or ultrasonic message comprising at least part of the single-use password coded in the form of sounds and / or ultrasound in a band of frequencies compatible with reception by a mobile phone,
- chaque message sonique et/ou ultrasonique est émis par un terminal mobile et écouté par l'autre terminal mobile,  each sonic and / or ultrasonic message is transmitted by a mobile terminal and listened to by the other mobile terminal,
- chaque message sonique et/ou ultrasonique reçu par un terminal mobile est retransmis par le terminal mobile à destination du serveur d'authentification pour comparaison avec un message attendu et pour validation,  each sonic and / or ultrasonic message received by a mobile terminal is retransmitted by the mobile terminal to the authentication server for comparison with an expected message and for validation,
caractérisé en ce que : characterized in that
- le mot de passe à usage unique est coupé en au moins deux segments envoyés à l'un au moins des terminaux mobiles,  the one-time password is cut into at least two segments sent to at least one of the mobile terminals,
- les messages soniques et/ou ultrasoniques correspondant aux segments de mot de passe à usage unique sont échangés par voie sonique et/ou ultrasonique entre les terminaux mobiles,  the sonic and / or ultrasonic messages corresponding to the one-time password segments are exchanged sonically and / or ultrasonically between the mobile terminals,
- le serveur d'authentification reçoit les messages soniques et/ou ultrasoniques correspondant aux segments de mot de passe à usage unique de la part des terminaux mobiles, les décode pour en extraire les segments, et compare le message une fois reconstitué avec ledit mot de passe à usage unique pour validation.  the authentication server receives the sonic and / or ultrasonic messages corresponding to the one-time password segments from the mobile terminals, decodes them to extract the segments thereof, and compares the message once reconstituted with said word of passes for single use for validation.
Avantageusement et selon l'invention, le serveur d'authentification coupe le mot de passe à usage unique en au moins deux segments (en général plus de deux segments) et envoie ces segments à l'un au moins des terminaux mobiles. En variante ou en combinaison, dans certains modes de réalisation selon l'invention, au moins une partie du mot de passe à usage unique est coupée en au moins deux segments (en général plus de deux segments) par au moins l'un des terminaux (émetteur de messages soniques et/ou ultrasoniques correspondant au moins à ces segments). Par ailleurs chaque segment peut ou non être crypté. Advantageously and according to the invention, the authentication server cuts the one-time password in at least two segments (generally more than two segments) and sends these segments to at least one of the mobile terminals. Alternatively or in combination, in some embodiments according to the invention, at least part of the one-time password is cut into at least two segments (usually more than two segments) by at least one of the terminals. (transmitter of sonic messages and / or ultrasonics corresponding at least to these segments). In addition, each segment may or may not be encrypted.
Par ailleurs, dans certains modes de réalisation selon l'invention, au moins une partie des segments du mot de passe à usage unique est codée en messages soniques et/ou ultrasoniques au niveau du serveur d'authentification avant transmission aux terminaux mobiles. En variante ou en combinaison, dans certains modes de réalisation selon l'invention, au moins une partie des segments du mot de passe à usage unique est codée en messages soniques et/ou ultrasoniques au niveau d'au moins un terminal mobile.  Furthermore, in some embodiments of the invention, at least a portion of the segments of the one-time password is encoded into sonic and / or ultrasonic messages at the authentication server before transmission to the mobile terminals. Alternatively or in combination, in some embodiments of the invention, at least a portion of the one-time password segments are encoded into sonic and / or ultrasonic messages at at least one mobile terminal.
En outre dans certains modes de réalisation selon l'invention, les deux terminaux mobiles étant capables d'émettre et de recevoir des messages soniques et/ou ultrasoniques, le serveur d'authentification envoie au moins un segment (en général plusieurs segments) du mot de passe à usage unique à l'un des terminaux mobiles, et au moins un autre segment (en général plusieurs segments) du mot de passe à usage unique à l'autre des terminaux mobiles :  In addition, in certain embodiments of the invention, the two mobile terminals being capable of transmitting and receiving sonic and / or ultrasonic messages, the authentication server sends at least one segment (generally several segments) of the word one-way password to one of the mobile terminals, and at least one other segment (generally multiple segments) of the one-time password to the other of the mobile terminals:
- les terminaux mobiles émettent des messages soniques et/ou ultrasoniques correspondant à chaque segment de mot de passe qu'ils ont reçu du serveur d'authentification,  the mobile terminals transmit sonic and / or ultrasonic messages corresponding to each password segment that they have received from the authentication server,
- les terminaux mobiles écoutent lesdits messages soniques et/ou ultrasoniques et les transmettent au serveur d'authentification,  the mobile terminals listen to said sonic and / or ultrasonic messages and transmit them to the authentication server,
- le serveur d'authentification reçoit les messages soniques et/ou ultrasoniques de la part des terminaux mobiles, les décode pour en extraire les segments et reconstituer un message avec ces segments, et compare le message reconstitué avec ledit mot de passe à usage unique pour validation.  the authentication server receives the sonic and / or ultrasonic messages from the mobile terminals, decodes them to extract the segments and reconstruct a message with these segments, and compares the reconstituted message with the said one-time password for validation.
Dans certains modes de réalisation un procédé selon l'invention comporte une étape de vérification et validation des canaux de communication soniques et/ou ultrasoniques entre les deux terminaux mobiles avant d'envoyer les dits segments aux terminaux mobiles.  In some embodiments, a method according to the invention comprises a step of verifying and validating the sonic and / or ultrasonic communication channels between the two mobile terminals before sending said segments to the mobile terminals.
L'invention concerne ainsi en particulier un procédé d'authentification de transaction entre deux utilisateurs dudit procédé (dits client et commerçant), un premier utilisateur étant doté d'un premier terminal mobile, un second utilisateur étant doté d'un second terminal mobile, au moins un de ces terminaux mobiles comportant des moyens d'émettre un signal en bande audio, et au moins l'autre terminal mobile comportant des moyens de recevoir un signal en bande audio. On utilise donc des ondes acoustiques pour échanger des informations entre les deux dispositifs de manière sécurisée. The invention thus relates in particular to a method of transaction authentication between two users of said method (said client and merchant), a first user being provided with a first mobile terminal, a second user having a second mobile terminal, at least one of these mobile terminals having means for transmitting an audio band signal, and at least the other mobile terminal having means for receiving an audio band signal. Acoustic waves are therefore used to exchange information between the two devices in a secure manner.
Le procédé comporte des étapes dans lesquelles :  The method comprises steps in which:
- un message d'authentification est généré par un serveur d'authentification à la demande d'un des deux utilisateurs,  an authentication message is generated by an authentication server at the request of one of the two users,
- ledit message d'authentification est transmis, via un réseau de communication, à destination d'un terminal mobile associé à un des utilisateurs,  said authentication message is transmitted, via a communication network, to a mobile terminal associated with one of the users,
- ledit message d'authentification est codé sous forme de message sonique et/ou ultrasonique comportant au moins une partie du message codée sous forme de sons ou d'ultrasons dans la bande de fréquences compatible avec une réception par un téléphone mobile classique,  said authentication message is encoded in the form of a sonic and / or ultrasonic message comprising at least part of the message coded in the form of sounds or ultrasound in the frequency band compatible with reception by a conventional mobile telephone,
- ledit message sonique et/ou ultrasonique est émis par ledit terminal mobile et écouté par l'autre terminal mobile, associé à l'autre utilisateur,  said sonic and / or ultrasonic message is transmitted by said mobile terminal and listened to by the other mobile terminal, associated with the other user,
- le message sonique et/ou ultrasonique reçu est retransmis par le second terminal mobile à destination du serveur d'authentification pour comparaison avec le message attendu et pour validation.  the received sonic and / or ultrasonic message is retransmitted by the second mobile terminal to the authentication server for comparison with the expected message and for validation.
Le processus d'authentification comprend deux facteurs de sécurité : le premier est le nom de l'utilisateur et le code PIN, qui garantit l'identité de l'utilisateur, et le second consiste dans un code sonique et/ou ultrasonique qui garantit la proximité et la possession des dispositifs qui interviennent dans la transaction. Il s'agit d'une authentification en champ proche.  The authentication process includes two security factors: the first is the user name and PIN code, which guarantees the identity of the user, and the second is a sonic and / or ultrasonic code that guarantees the user's identity. proximity and possession of the devices involved in the transaction. This is a near field authentication.
Dans une mise en œuvre particulière, la transformation du message d'authentification en message sonique et/ou ultrasonique est réalisée au niveau du serveur d'authentification avant transmission au terminal mobile, In a particular implementation, the transformation of the authentication message into sonic and / or ultrasonic message is performed at the authentication server before transmission to the mobile terminal,
Dans une mise en œuvre plus particulière, le serveur d'authentification est alors par exemple de type IVR ("Interactive Voice Response server"). In a particular implementation, the authentication server is then for example IVR type ("Interactive Voice Response server").
Dans une mise en œuvre alternative, la transformation (codage et éventuellement brouillage) du message d'authentification en message sonique et/ou ultrasonique est réalisée au niveau du terminal mobile. Dans une mise en œuvre particulière, le message d'authentification est de type à usage unique (OTP), spécifique à chaque transaction à signer. Cette disposition garantit une sécurité accrue de la transaction. In an alternative implementation, the transformation (coding and possibly scrambling) of the message authentication message sonic and / or ultrasonic is performed at the mobile terminal. In a particular implementation, the authentication message is of the one-time-only (OTP) type, specific to each transaction to be signed. This provision ensures increased security of the transaction.
Dans une mise en œuvre particulière, le procédé comporte une étape de vérification et de validation des canaux de communication soniques et/ou ultrasoniques entre les deux terminaux mobiles. De cette manière, le procédé s'adapte aux conditions existantes au niveau du commerçant et du client, et optimise la force de l'authentification en fonction de ces canaux de communication disponibles. Il est notamment capable d'utiliser éventuellement les capacités ultrasonores des terminaux, si ceux-ci en sont dotés.  In a particular implementation, the method includes a step of verifying and validating the sonic and / or ultrasonic communication channels between the two mobile terminals. In this way, the method adapts to existing conditions at the merchant and customer level, and optimizes the strength of authentication based on these available communication channels. In particular, it is able to use the ultrasonic capabilities of the terminals, if they have them.
Dans une première mise en œuvre, un premier terminal mobile, dit "terminal de paiement du commerçant" étant supposé doté de moyens d'écouter un message sonique et/ou ultrasonique et de le retransmettre à destination d'un serveur dit "serveur d'authentification", et un second terminal mobile, de type téléphone mobile, dit "téléphone mobile du client", étant supposé doté d'une application logicielle adaptée à transformer (codage et éventuellement brouillage) un message reçu du serveur d'authentification, le procédé comporte notamment des étapes suivantes :  In a first implementation, a first mobile terminal, said "payment terminal of the merchant" is assumed to have means for listening to a sonic and / or ultrasonic message and retransmit it to a server called "server of authentication ", and a second mobile terminal, mobile phone type, called" mobile phone of the client ", is supposed to have a software application adapted to transform (coding and possibly scrambling) a message received from the authentication server, the method includes the following steps:
- étape 301 : le terminal de paiement du commerçant émet une demande d'autorisation de transaction à destination du serveur d'authentification,  step 301: the merchant's payment terminal issues a transaction authorization request to the authentication server,
- étape 302 : le serveur d'authentification, vérifie les moyens de communication soniques et/ou ultrasoniques existant entre le terminal de paiement du commerçant et le téléphone mobile du client,  step 302: the authentication server checks the sonic and / or ultrasonic communication means existing between the merchant's payment terminal and the customer's mobile phone,
- étape 303 : dans le cas où les deux terminaux sont capables d'émettre et de recevoir des messages soniques et/ou ultrasoniques, le serveur d'authentification obtient ou génère un mot de passe à usage unique, puis coupe alors ce mot de passe en au moins deux segments (en général plus de deux segments), et envoie au moins un segment (notamment certains de ces segments) au terminal de paiement, et au moins un autre segment (notamment les autres segments) au téléphone mobile du client, au moins une partie de ces segments du mot de passe à usage unique étant transformée (codée et éventuellement brouillée et/ou cryptée) par le terminal de paiement ou le téléphone mobile en messages soniques et/ou ultrasoniques dans une bande de fréquence compatible avec les moyens d'émission dudit terminal de paiement et avec les moyens de réception d'un téléphone mobile, step 303: in the case where the two terminals are capable of sending and receiving sonic and / or ultrasonic messages, the authentication server obtains or generates a one-time password, and then cuts this password. in at least two segments (generally more than two segments), and sends at least one segment (including some of these segments) to the payment terminal, and at least one other segment (including the other segments) to the customer's mobile phone, at least a part of these segments of the one-time password being transformed (coded and possibly scrambled and / or encrypted) by the payment terminal or the mobile telephone into sonic and / or ultrasonic messages in a band frequency compatible with the means of transmission of said payment terminal and with the receiving means of a mobile phone,
- le terminal de paiement et le téléphone mobile émettent les messages soniques et/ou ultrasoniques correspondant aux segments de mot de passe qu'ils ont reçu du serveur d'authentification,  the payment terminal and the mobile telephone transmit the sonic and / or ultrasonic messages corresponding to the password segments that they have received from the authentication server,
- étape 304 : le téléphone mobile du client et le terminal de paiement écoutent lesdits messages soniques et/ou ultrasoniques et les enregistrent, puis transmettent ces enregistrements au serveur d'authentification,  step 304: the customer's mobile telephone and the payment terminal listen to said sonic and / or ultrasonic messages and record them, then transmit these records to the authentication server,
- étape 305 : le serveur d'authentification reçoit les enregistrements des messages soniques et/ou ultrasoniques de la part du téléphone mobile du client et du terminal de paiement, décode ces messages soniques et/ou ultrasoniques pour en extraire les segments, et compare ce message reconstitué avec le mot de passe original pour validation.  step 305: the authentication server receives the records of the sonic and / or ultrasonic messages from the mobile phone of the customer and the payment terminal, decodes these sonic and / or ultrasonic messages to extract the segments, and compares this message restored with the original password for validation.
Dans une autre mise en œuvre, le second terminal mobile, de type téléphone mobile, dit "téléphone mobile du client", étant supposé doté d'une application logicielle adaptée à transformer un message reçu d'un serveur associé au générateur d'authentification, dit "serveur d'authentification", en message sonique et/ou ultrasonique ayant éventuellement subi une distorsion volontaire (brouillage), le premier terminal mobile, dit "terminal de paiement du commerçant" étant doté de moyens d'écouter un message sonique et/ou ultrasonique et de le retransmettre à destination du serveur d'authentification et doté de moyens de générer un mot de passe à usage unique, le procédé comporte notamment des étapes suivantes :  In another implementation, the second mobile terminal, of the mobile phone type, called "mobile phone of the client", is supposed to have a software application adapted to transform a message received from a server associated with the authentication generator, said "authentication server", sonic message and / or ultrasonic optionally having undergone a deliberate distortion (jamming), the first mobile terminal, said "merchant payment terminal" being provided with means to listen to a sonic message and / or ultrasonic and retransmit to the authentication server and provided with means to generate a one-time password, the method comprises in particular the following steps:
- étape 401 : le terminal de paiement du commerçant émet une demande d'autorisation de transaction à destination du serveur d'authentification et initialise la transaction,  step 401: the merchant's payment terminal issues a transaction authorization request to the authentication server and initiates the transaction,
- étape 402 : le terminal de paiement vérifie les moyens de communication soniques et/ou ultrasoniques existant entre le terminal de paiement du commerçant et le téléphone mobile du client,  step 402: the payment terminal checks the sonic and / or ultrasonic communication means existing between the merchant's payment terminal and the customer's mobile phone,
- étape 403 : dans le cas favorable, le terminal de paiement coupe le mot de passe généré par le serveur d'authentification en au moins deux segments, envoie au moins un segment (notamment certains de ces segments) au téléphone mobile du client par l'intermédiaire du serveur d'authentification, et au moins un autre segment (notamment les autres segments) par voie sonique et/ou ultrasonique, step 403: in the favorable case, the payment terminal cuts the password generated by the authentication server in at least two segments, sends at least one segment (including some of these segments) to the mobile phone of the client by the intermediary of the authentication server, and at least one other segment (especially the other segments) by sonic and / or ultrasonic means,
- étape 404 : le téléphone mobile du client écoute le message sonique et/ou ultrasonique reçu du terminal de paiement et l'enregistre, puis transmet cet enregistrement au terminal de paiement via ledit serveur d'authentification, step 404: the customer's mobile telephone listens for the sonic and / or ultrasonic message received from the payment terminal and saves it, then transmits this registration to the payment terminal via said authentication server,
- étape 405 : le terminal de paiement reçoit les informations de la part du téléphone mobile du client, en extrait le message original, et compare ce message une fois reconstitué avec le mot de passe original. step 405: the payment terminal receives the information from the mobile phone of the customer, extracts the original message, and compares this message once reconstituted with the original password.
Plus particulièrement dans ce cas, dans l'étape 404, la transmission de l'enregistrement et du segment de message reçu est effectuée par l'intermédiaire du serveur d'authentification.  More particularly in this case, in step 404, the transmission of the record and the received message segment is performed through the authentication server.
Alternativement, dans l'étape 404, une partie au moins de l'enregistrement et de chaque segment de message reçu est émise sous forme sonique et/ou ultrasonique par le téléphone mobile du client vers le terminal de paiement.  Alternatively, in step 404, at least part of the record and each received message segment is sent in sonic and / or ultrasonic form by the customer's mobile phone to the payment terminal.
Dans une variante, le message d'authentification à usage unique fourni par le serveur d'authentification est codé par le serveur d'authentification lui- même sous forme de message sonique et/ou ultrasonique, le serveur d'authentification, étant en relation avec un server de type VoIP (voix sur IP), c'est-à-dire capable de générer des appels téléphoniques et des signaux dans une bande de fréquences soniques et/ou ultrasoniques.  In one variant, the single-use authentication message provided by the authentication server is encoded by the authentication server itself in the form of a sonic and / or ultrasonic message, the authentication server being in contact with the authentication server. a VoIP (Voice over IP) type of server, that is to say capable of generating telephone calls and signals in a sonic and / or ultrasonic frequency band.
L'invention vise sous un second aspect un terminal de paiement, un téléphone mobile ou un serveur d'authentification, mettant en œuvre un procédé selon l'invention.  The invention aims in a second aspect a payment terminal, a mobile phone or an authentication server, implementing a method according to the invention.
Présentation des figures  Presentation of figures
Les caractéristiques et avantages de l'invention seront mieux appréciés grâce à la description qui suit, description qui expose les caractéristiques de l'invention au travers d'un exemple non limitatif d'application.  The characteristics and advantages of the invention will be better appreciated thanks to the description which follows, description which sets out the characteristics of the invention through a non-limiting example of application.
La description s'appuie sur les figures annexées qui représentent :  The description is based on the appended figures which represent:
Figure 1 : un schéma des éléments mis en œuvre dans le procédé, Figure 1: a diagram of the elements implemented in the process,
Figure 2 : un schéma des étapes du procédé dans un premier mode de mise en œuvre, Figure 3 : un schéma des étapes de procédé dans une variante de ce premier mode de mise en œuvre, FIG. 2: a diagram of the steps of the method in a first mode of implementation, FIG. 3: a diagram of the process steps in a variant of this first mode of implementation,
Figure 4 : un schéma des étapes de procédé dans un second mode de mise en œuvre,  FIG. 4: a diagram of the process steps in a second mode of implementation,
Figure 5 : un schéma des étapes de procédé dans un troisième mode de mise en œuvre.  Figure 5: a diagram of the process steps in a third mode of implementation.
Description détaillée d'un mode de réalisation de l'invention Comme on le voit sur la figure 1 , l'invention trouve sa place dans le cadre d'une transaction entre un premier utilisateur 10 appelé commerçant dans la suite de la description, et un second utilisateur 1 1 appelé client dans la suite de la description.  DETAILED DESCRIPTION OF ONE EMBODIMENT OF THE INVENTION As seen in FIG. 1, the invention finds its place in the context of a transaction between a first user 10 called a merchant in the rest of the description, and a second user 1 1 called client in the following description.
Le commerçant 10 est supposé dote d'un terminal de paiement 12 comportant des moyens de communication, via un réseau 14, par exemple de type GSM, avec un serveur d'authentification 13 capable de fournir des autorisations de transactions. Dans le présent exemple de réalisation, le terminal de paiement 12 du commerçant 10 est également supposé doté d'un haut-parleur adapté à émettre un message sonique et/ou ultrasonique en bande compatible avec la bande de fréquences d'émission et/ou de réception d'un téléphone mobile.  The merchant 10 is assumed to have a payment terminal 12 comprising communication means, via a network 14, for example of the GSM type, with an authentication server 13 capable of providing transaction authorizations. In the present embodiment, the payment terminal 12 of the merchant 10 is also assumed to have a loudspeaker adapted to emit a sonic and / or ultrasonic message in a band compatible with the transmission and / or transmission frequency band. receiving a mobile phone.
Le client 1 1 est supposé doté d'un terminal mobile 15 de type téléphone mobile ou tablette ou TPE ou caisse enregistreuse, doté de moyens de communication via un réseau de communications 14, par exemple GSM, avec divers services à distance. Ce téléphone mobile 15 comporte naturellement un microphone capable de recevoir un signal audio et un haut-parleur pour émettre un signal audio, dans une bande de fréquences comportant la bande de fréquence audible par l'oreille humaine et éventuellement la bande ultrasonique.  The client 1 1 is assumed to have a mobile terminal 15 of the mobile phone or tablet or TPE or cash register type, equipped with communication means via a communications network 14, for example GSM, with various remote services. This mobile phone 15 naturally includes a microphone capable of receiving an audio signal and a loudspeaker for transmitting an audio signal, in a frequency band comprising the frequency band audible by the human ear and possibly the ultrasonic band.
L'invention est destinée à être mise en œuvre sous forme logicielle. Dans certains modes de réalisation au moins un logiciel est installé dans le serveur d'authentification 13, et au moins un logiciel est installé dans le terminal de paiement 12 du commerçant 10. Dans certains modes de réalisation, au moins un logiciel est également installé dans le téléphone mobile 15 du client 1 1 , sous forme par exemple d'application smartphone (ordiphone) de type "apps". The invention is intended to be implemented in software form. In some embodiments at least one software is installed in the authentication server 13, and at least one software is installed in the payment terminal 12 of the merchant 10. In some embodiments, at least one software is also installed in the mobile phone 15 of the client 1 1, in the form for example of smartphone application (ordiphone) type "apps".
Mode de fonctionnement  Operating mode
Dans un premier mode de mise en œuvre, illustré par la figure 2, le procédé d'authentification de transaction comporte cinq étapes principales, pour valider un paiement réalisé par le client 1 1 chez le commerçant 10.  In a first mode of implementation, illustrated by FIG. 2, the transaction authentication method comprises five main steps, to validate a payment made by the customer 1 1 at the merchant 10.
Dans cette mise en œuvre, le téléphone mobile 15 du client 1 1 est supposé doté d'une application logicielle adaptée à transformer (coder et éventuellement brouiller) tout ou partie de ΓΟΤΡ émis par le serveur d'authentification 13, en message sonique et/ou ultrasonique. Le serveur d'authentification 13 est celui qui génère le mot de passe à usage unique (OTP).  In this implementation, the mobile phone 15 of the client 1 1 is assumed to have a software application adapted to transform (encode and possibly scramble) all or part of ΓΟΤΡ sent by the authentication server 13, in sonic message and / or ultrasonic. The authentication server 13 is the one that generates the one-time password (OTP).
De même, dans cette première mise en œuvre, le terminal de paiement 12 est supposé doté de moyens d'écouter un message sonique et/ou ultrasonique et de le retransmettre à destination du serveur d'authentification 13.  Similarly, in this first implementation, the payment terminal 12 is assumed to have means for listening to a sonic and / or ultrasonic message and retransmitting it to the authentication server 13.
Dans une première étape 301 , le terminal de paiement 12 du commerçant 10 émet une demande d'autorisation de transaction à destination du serveur d'authentification 13.  In a first step 301, the payment terminal 12 of the merchant 10 issues a transaction authorization request to the authentication server 13.
Dans une seconde étape 302, le serveur d'authentification 13 vérifie et valide les canaux de communication soniques et/ou ultrasoniques entre les deux terminaux mobiles 12, 15 avant d'envoyer les dits segments aux terminaux mobiles. Le serveur d'authentification 13 vérifie les moyens de communication existants entre le terminal de paiement 12 du commerçant 10 et le téléphone mobile 15 du client 1 1 . Cette étape consiste à vérifier lesquels des deux terminaux 12, 15 sont capables d'émettre et/ou de recevoir des messages soniques et/ou ultrasoniques.  In a second step 302, the authentication server 13 verifies and validates the sonic and / or ultrasonic communication channels between the two mobile terminals 12, 15 before sending the said segments to the mobile terminals. The authentication server 13 checks the existing communication means between the payment terminal 12 of the merchant 10 and the mobile phone 15 of the client 11. This step consists in verifying which of the two terminals 12, 15 are capable of transmitting and / or receiving sonic and / or ultrasonic messages.
À cet effet, dans le présent exemple nullement limitatif, le serveur d'authentification, ici associé à un serveur de type VoIP, émet des sons et/ou ultrasons via le réseau de communication TCP/IP à destination du terminal de paiement 12 du commerçant et via le réseau de téléphonie mobile, ici GSM, à destination du téléphone mobile 15 du client 1 1 , afin de reconnaître les voies de communication audio disponibles entre le terminal de paiement 12 et le téléphone mobile 15. Les messages acoustiques soniques et/ou ultrasoniques reçus par le haut-parleur du terminal de paiement sont retransmis au serveur d'authentification via le même réseau. Il en va de même des messages acoustiques soniques et/ou ultrasoniques reçus par le haut-parleur du terminal mobile. Le serveur analyse ces messages et détermine de la sorte les voies de communication audio possibles entre le terminal de paiement 12 et le téléphone mobile 15, c'est-à-dire concrètement entre le haut-parleur du terminal de paiement 12 et le microphone du téléphone mobile 15, et/ou entre le haut-parleur du téléphone mobile 15 et le microphone du terminal de paiement 12. For this purpose, in the present example, which is in no way limiting, the authentication server, here associated with a VoIP-type server, transmits sounds and / or ultrasounds via the TCP / IP communication network to the payment terminal 12 of the merchant. and via the mobile telephone network, here GSM, to the mobile phone 15 of the customer 1 1, to recognize the channels communication audio available between the payment terminal 12 and the mobile phone 15. The sonic and / or ultrasonic acoustic messages received by the speaker of the payment terminal are retransmitted to the authentication server via the same network. The same is true of sonic and / or ultrasonic acoustic messages received by the speaker of the mobile terminal. The server analyzes these messages and thus determines the possible audio communication paths between the payment terminal 12 and the mobile phone 15, that is to say, concretely between the speaker of the payment terminal 12 and the microphone of the mobile phone 15, and / or between the speaker of the mobile phone 15 and the microphone of the payment terminal 12.
Lors de la détermination des voies de communication possibles, le serveur d'authentification 13 teste également la capacité de chacun des terminaux mobiles en émission et en réception de message dans le domaine sonore et/ou ultrasonore. De la sorte, le système peut utiliser au mieux les capacités de chaque groupe de deux terminaux, et notamment s'adapter aux téléphones mobiles plus anciens, qui ne possèdent pas de capacité ultrasonore.  When determining the possible communication paths, the authentication server 13 also tests the capacity of each of the mobile terminals for sending and receiving messages in the sound and / or ultrasound domain. In this way, the system can best utilize the capabilities of each group of two terminals, including adapting to older mobile phones, which do not have ultrasonic capability.
Le test peut être réalisé lors de chaque transaction, le procédé permet de s'adapter également à des variations dans le temps des capacités des terminaux mobiles, ou à des conditions d'environnement sonore difficiles (bruits extérieurs etc.). Dans ces cas, le codage du message est avantageusement réalisé dans les fréquences les mieux reçues par les terminaux mobiles et / ou les moins bruitées.  The test can be performed during each transaction, the method can also be adapted to variations in the time of the capabilities of mobile terminals, or to difficult sound environment conditions (external noise, etc.). In these cases, the coding of the message is advantageously carried out in the frequencies best received by the mobile terminals and / or the less noisy.
Dans le cas où le terminal de paiement 12 n'est pas capable d'écouter des signaux acoustiques, le procédé est détaillé plus bas (étapes 303' à 306').  In the case where the payment terminal 12 is not able to listen to acoustic signals, the method is detailed below (steps 303 'to 306').
Dans le cas où les deux terminaux 12, 15 sont capables d'émettre et de recevoir des messages soniques et/ou ultrasoniques, dans une étape 303, le serveur d'authentification 13 génère un mot de passe à usage unique. Alternativement, le serveur d'authentification 13 ne génère pas lui-même ce mot de passe à usage unique, mais le reçoit d'un service de gestion de mots de passe, éventuellement distant. Ce service de gestion de mots de passe est alors adapté à générer un mot de passe à usage unique, et à authentifier un tel mot de passe lorsqu'il est reçu. In the case where the two terminals 12, 15 are capable of transmitting and receiving sonic and / or ultrasonic messages, in a step 303, the authentication server 13 generates a one-time password. Alternatively, the authentication server 13 does not itself generate this one-time password, but receives it from a password management service, possibly remote. This password management service is then adapted to generate a one-time password, and to authenticate such a password when it is received.
Le serveur d'authentification 13 coupe alors ce mot de passe en segments de façon aléatoire, et envoie certains de ces segments au terminal de paiement 12, et les autres segments au téléphone mobile 15 du client. Dans le présent exemple de mise en œuvre, le mot de passe est coupé en deux segments de longueurs éventuellement différentes. Dans une variante, il est scindé en multiples segments.  The authentication server 13 then cuts this password into segments randomly, and sends some of these segments to the payment terminal 12, and the other segments to the mobile phone 15 of the customer. In the present example of implementation, the password is cut into two segments of possibly different lengths. In a variant, it is split into multiple segments.
Toujours dans cette étape 303, chacun de ces segments du mot de passe à usage unique est transformé par le terminal de paiement 12 et le téléphone mobile 15 en messages soniques et/ou ultrasoniques dans la bande de fréquence compatible avec les moyens d'émission dudit terminal de paiement 12 et avec les moyens de réception d'un téléphone mobile. Le terminal de paiement 12 et le téléphone mobile 15 émettent les messages soniques et/ou ultrasoniques correspondant aux segments de mot de passe qu'ils ont reçu du serveur d'authentification 13.  Still in this step 303, each of these segments of the one-time password is transformed by the payment terminal 12 and the mobile telephone 15 into sonic and / or ultrasonic messages in the frequency band compatible with the transmission means of said payment terminal 12 and with the means of receiving a mobile phone. The payment terminal 12 and the mobile telephone 15 transmit the sonic and / or ultrasonic messages corresponding to the password segments that they have received from the authentication server 13.
Dans une étape 304, le téléphone mobile 15 du client 1 1 , et le terminal de paiement 12 écoutent lesdits messages soniques et/ou ultrasoniques et les enregistrent, puis transmettent ces enregistrements au serveur d'authentification 13.  In a step 304, the mobile phone 15 of the client 11, and the payment terminal 12 listen to said sonic and / or ultrasonic messages and record them, then transmit these records to the authentication server 13.
Enfin, dans une étape 305, le serveur d'authentification 13 reçoit les enregistrements des messages soniques et/ou ultrasoniques de la part du téléphone mobile 15 du client 12 et du terminal de paiement 12 du commerçant 10.  Finally, in a step 305, the authentication server 13 receives the records of the sonic and / or ultrasonic messages from the mobile phone 15 of the customer 12 and the payment terminal 12 of the merchant 10.
Le serveur d'authentification 13 transforme ces messages soniques et/ou ultrasoniques de façon inverse pour en extraire les segments du message original, et compare ce message une fois reconstitué avec le mot de passe original.  The authentication server 13 transforms these sonic and / or ultrasonic messages in a reverse manner to extract the segments of the original message, and compares this message once reconstituted with the original password.
Le serveur d'authentification 13 notifie alors au client 1 1 via son téléphone mobile 15 et au commerçant 10 via son terminal de paiement 12 la réussite ou l'échec de la signature de la transaction.  The authentication server 13 then notifies the customer 1 1 via his mobile phone 15 and the merchant 10 via his payment terminal 12 the success or failure of the signature of the transaction.
Dans une variante de cette mise en œuvre, dans le cas où le terminal de paiement est capable de recevoir des messages soniques et/ou ultrasoniques, et où le téléphone mobile est doté d'une application logicielle spécifique, l'ensemble du mot de passe est envoyé au téléphone mobile 15 du client 1 1 . 11 est alors émis sous forme sonique et/ou ultrasonique et reçu par le terminal de paiement 12, qui le renvoie vers le serveur d'authentification 13 via le réseau TCP/IP pour validation. Il s'agit alors d'un mode de mise en œuvre similaire à la première mise en œuvre du procédé, telle que décrite plus haut, en renversant les rôles du terminal de paiement 12 et du téléphone mobile 15. In a variant of this implementation, in the case where the payment terminal is capable of receiving sonic and / or ultrasonic messages, and where the mobile phone has a specific software application, the entire password is sent to the mobile phone 15 of the customer 1 1. 11 is then sent in sonic and / or ultrasonic form and received by the payment terminal 12, which sends it to the authentication server 13 via the TCP / IP network for validation. This is then an implementation mode similar to the first implementation of the method, as described above, by reversing the roles of the payment terminal 12 and the mobile phone 15.
Après l'étape 302 de détermination par le serveur d'authentification, des voies de communication audio possibles entre le terminal de paiement 12 et le téléphone mobile 15, lorsque le terminal de paiement est capable seulement d'émettre des messages soniques et/ou ultrasoniques, mais pas de les recevoir, le procédé comporte, dans un exemple non limitatif de mise en œuvre, des étapes suivantes (voir figure 3).  After step 302 of determination by the authentication server, possible audio communication channels between the payment terminal 12 and the mobile phone 15, when the payment terminal is only able to issue sonic and / or ultrasonic messages , but not to receive them, the method comprises, in a nonlimiting example of implementation, the following steps (see Figure 3).
Dans une étape 303', le serveur d'authentification 13 génère un tel mot de passe à usage unique. Alternativement, le serveur d'authentification 13 ne génère pas lui-même ce mot de passe à usage unique, mais le reçoit d'un service de gestion de mots de passe, éventuellement distant. Ce service de gestion de mots de passe est alors adapté à générer un mot de passe à usage unique, et à authentifier un tel mot de passe lorsqu'il est reçu.  In a step 303 ', the authentication server 13 generates such a one-time password. Alternatively, the authentication server 13 does not itself generate this one-time password, but receives it from a password management service, possibly remote. This password management service is then adapted to generate a one-time password, and to authenticate such a password when it is received.
Le mot de passe à usage unique, usuellement une suite de caractères ou de chiffres, est envoyé au terminal de paiement 12 du commerçant 10, et transformé par ledit terminal de paiement en message sonique et/ou ultrasonique dans la bande de fréquence compatible avec les moyens d'émission dudit terminal de paiement 12 et avec les moyens de réception d'un téléphone mobile. Il s'agit ici d'un message comportant au moins une partie codée sous forme de sons ou/et d'ultrasons, non audibles ou audibles par l'homme mais entrant dans la bande de fréquences reçue correctement par un téléphone mobile. Simultanément, le serveur d'authentification, appelle le téléphone mobile 15 du client 1 1 , qui décroche, de manière à être prêt à recevoir le message sonique.  The one-time password, usually a sequence of characters or digits, is sent to the payment terminal 12 of the merchant 10, and transformed by said payment terminal sonic and / or ultrasonic message in the frequency band compatible with the transmission means of said payment terminal 12 and with the receiving means of a mobile phone. This is a message comprising at least a coded part in the form of sounds and / or ultrasound, not audible or audible by the man but entering the frequency band received correctly by a mobile phone. Simultaneously, the authentication server calls the mobile phone 15 of the client 1 1, which picks up, so as to be ready to receive the sonic message.
Dans une étape 304', le terminal de paiement 12 émet le message sonique par l'intermédiaire de son haut-parleur. Dans une étape 305', le téléphone mobile 15 du client 1 1 écoute ledit message sonique par son microphone, et l'enregistre, puis le transmet au serveur d'authentification 13. In a step 304 ', the payment terminal 12 transmits the sonic message via its speaker. In a step 305 ', the mobile phone 15 of the client 1 1 listens to said sonic message by its microphone, and records it, then transmits it to the authentication server 13.
Enfin, dans une étape 306', le serveur d'authentification 13 reçoit l'enregistrement du message sonique de la part du téléphone mobile 15 du client 12, le transforme de façon inverse pour en extraire le message original, et compare ce message avec le message émis à destination du terminal de paiement 12 chez le commerçant 1 1 . Le serveur d'authentification 13 notifie alors au client 1 1 via son téléphone mobile 15 et au commerçant 10 via son terminal de paiement 12 la réussite ou l'échec de la signature de la transaction.  Finally, in a step 306 ', the authentication server 13 receives the recording of the sonic message from the mobile phone 15 of the client 12, transforms it in a reverse manner to extract the original message, and compares this message with the message sent to the payment terminal 12 at the merchant 1 1. The authentication server 13 then notifies the customer 1 1 via his mobile phone 15 and the merchant 10 via his payment terminal 12 the success or failure of the signature of the transaction.
Dans un second mode de mise en œuvre, illustré par la figure 4, le procédé d'authentification de transaction comporte encore cinq étapes principales, pour valider un paiement réalisé par le client 1 1 chez le commerçant 10.  In a second mode of implementation, illustrated by FIG. 4, the transaction authentication method also comprises five main steps, to validate a payment made by the customer 11 at the merchant 10.
Dans cette seconde mise en œuvre, le téléphone mobile 15 du client 1 1 est encore supposé doté d'une application logicielle adaptée à transformer ou brouiller un OTP reçu du serveur d'authentification 13 en message sonique et/ou ultrasonique.  In this second implementation, the mobile phone 15 of the client 1 1 is still assumed to have a software application adapted to transform or scramble an OTP received from the authentication server 13 in sonic and / or ultrasonic message.
De même, dans cette seconde mise en œuvre, le terminal de paiement 12 est encore supposé doté de moyens d'écouter un message sonique et/ou ultrasonique et de le retransmettre à destination du serveur d'authentification 13. Il est également supposé ici doté de moyens de transformer (coder et éventuellement brouiller) un mot de passe à usage unique.  Similarly, in this second implementation, the payment terminal 12 is still assumed to have means to listen to a sonic and / or ultrasonic message and retransmit it to the authentication server 13. It is also assumed here endowed means to transform (encode and possibly scramble) a one-time password.
Dans une première étape 401 , le terminal de paiement 12 du commerçant 10 émet une demande d'autorisation de transaction à destination du serveur d'authentification 13 et initialise la transaction.  In a first step 401, the payment terminal 12 of the merchant 10 issues a transaction authorization request to the authentication server 13 and initiates the transaction.
Dans une seconde étape 402, le terminal de paiement 12 vérifie et valide les moyens de communication existant entre le terminal de paiement 12 du commerçant 10 et le téléphone mobile 15 du client 1 1 . Cette étape consiste à vérifier si les deux terminaux 12, 15 sont capables d'émettre et de recevoir des messages soniques et/ou ultrasoniques, et de préciser dans quelles bandes de fréquences acoustiques ils sont capables de communiquer en émission et réception, et éventuellement quelles sont les bandes les plus efficaces. Dans le cas favorable, dans une étape 403, le terminal de paiement 12 génère un mot de passe à usage unique. Le terminal de paiement 12 coupe alors ce mot de passe en segments de façon aléatoire, et envoie au téléphone mobile 15 du client 1 1 certains de ces segments par l'intermédiaire du serveur d'authentification 13, et les autres segments par voie sonique et/ou ultrasonique au client 1 1 . Dans le présent exemple de mise en œuvre, le mot de passe est coupé en deux segments de longueurs éventuellement différentes. Dans une variante, il est scindé en multiples segments. In a second step 402, the payment terminal 12 checks and validates the communication means existing between the payment terminal 12 of the merchant 10 and the mobile phone 15 of the customer 11. This step consists in verifying whether the two terminals 12, 15 are capable of transmitting and receiving sonic and / or ultrasonic messages, and to specify in which acoustic frequency bands they are able to communicate in transmission and reception, and possibly which are the most effective bands. In the favorable case, in a step 403, the payment terminal 12 generates a one-time password. The payment terminal 12 then cuts this password in segments randomly, and sends to the mobile phone 15 of the client 11 some of these segments via the authentication server 13, and the other segments by sonic and / or ultrasonic to the client 1 1. In the present example of implementation, the password is cut into two segments of possibly different lengths. In a variant, it is split into multiple segments.
Dans une étape 404, le téléphone mobile 15 du client 1 1 écoute le message sonique et/ou ultrasonique reçu du terminal de paiement et l'enregistre, puis transmet cet enregistrement et le segment de message reçu par l'intermédiaire du serveur d'authentification 13 au terminal de paiement 12 via ledit serveur d'authentification 13.  In a step 404, the mobile phone 15 of the client 11 listens to the sonic and / or ultrasonic message received from the payment terminal and records it, then transmits this record and the message segment received via the authentication server. 13 to the payment terminal 12 via said authentication server 13.
Alternativement, une partie ou la totalité de ces informations est émise sous forme sonique et/ou ultrasonique par le téléphone mobile 15 du client 1 1 vers le terminal de paiement 12.  Alternatively, some or all of this information is transmitted in sonic and / or ultrasonic form by the mobile phone 15 of the customer 1 1 to the payment terminal 12.
Enfin, dans une étape 405, le terminal de paiement 12 reçoit les informations de la part du téléphone mobile 15 du client 1 1 , en extrait le message original, et compare ce message une fois reconstitué avec le mot de passe original.  Finally, in a step 405, the payment terminal 12 receives the information from the mobile phone 15 of the customer 1 1, extracts the original message, and compares this message once reconstituted with the original password.
Le terminal de paiement 12 notifie alors au téléphone mobile 15 du client 1 1 via le serveur d'authentification 13 la réussite ou l'échec de la signature de la transaction.  The payment terminal 12 then notifies the mobile phone 15 of the client 1 1 via the authentication server 13 the success or failure of the signature of the transaction.
Dans un troisième mode de mise en œuvre, illustré par la figure 5, le procédé d'authentification de transaction concerne un cas où ni le téléphone mobile 15 du client 1 1 , ni le terminal de paiement 12 ne sont dotés d'applications spécifiques pour mettre en œuvre le procédé. De cette manière, le procédé est utilisable très facilement, y compris par des personnes désirant effectuer une transaction et non équipées d'applications spécifiques.  In a third mode of implementation, illustrated in FIG. 5, the transaction authentication method relates to a case where neither the mobile phone 15 of the client 1 1 nor the payment terminal 12 have specific applications for implement the process. In this way, the method is very easily usable, including by persons wishing to carry out a transaction and not equipped with specific applications.
Le serveur d'authentification 13 est, quant à lui, associé à un serveur de type serveur IVR ("Interactive Voice Response"), apte à générer et recevoir des messages sonores. De même, dans cette troisième mise en œuvre, le terminal de paiement 12 est encore supposé doté de moyens d'écouter un message sonique et de le retransmettre à destination du serveur d'authentification 13. Il peut s'agir d'un téléphone mobile. The authentication server 13 is, for its part, associated with an IVR server server ("Interactive Voice Response"), able to generate and receive sound messages. Similarly, in this third implementation, the payment terminal 12 is still assumed to have means for listening to a sonic message and retransmitting it to the authentication server 13. It may be a mobile phone .
Dans une première étape 501 , le terminal de paiement 12 du commerçant 10 appelle le serveur d'authentification 13.  In a first step 501, the payment terminal 12 of the merchant 10 calls the authentication server 13.
Dans une étape 502, il émet une demande d'autorisation de transaction en envoyant son identifiant de terminal de paiement, le numéro de téléphone du client et le montant de la transaction qui doit être réalisée.  In a step 502, it issues a transaction authorization request by sending its payment terminal identifier, the customer's telephone number and the amount of the transaction to be made.
Dans une étape 503, le serveur d'authentification 13 vérifie les données reçues, et appelle le numéro du téléphone mobile du client. Le serveur d'authentification 13 génère un mot de passe à usage unique le scinde en segments, et code ces segments en messages soniques.  In a step 503, the authentication server 13 checks the received data, and calls the customer's mobile phone number. The authentication server 13 generates a one-time password splits it into segments, and encodes these segments into sonic messages.
Dans une étape 504, le client entre un code de validation (de type code pin de carte de crédit) sur son téléphone mobile 15 qui envoie ces données au serveur d'authentification 13.  In a step 504, the customer enters a validation code (of the credit card pin code type) on his mobile phone 15 which sends this data to the authentication server 13.
Dans une étape 505, le terminal de paiement 12 et le téléphone mobile 15 sont rapprochés et le mot de masse codé sous forme de messages soniques par le serveur d'authentification de type IVR est transmis à ces terminaux, qui échangent ces messages soniques entre eux par voix sonique. Le serveur d'authentification 13 reçoit ensuite chaque message sonique tel que reçu par voie audio par chaque terminal et retransmis au serveur d'authentification 13.  In a step 505, the payment terminal 12 and the mobile telephone 15 are brought together and the ground word coded in the form of sonic messages by the authentication server of type IVR is transmitted to these terminals, which exchange these sonic messages with each other. by sonic voice. The authentication server 13 then receives each sonic message as audio received by each terminal and retransmitted to the authentication server 13.
Le serveur d'authentification 13 notifie alors dans une étape 506 au client 1 1 via son téléphone mobile 15 et au terminal de paiement 12 la réussite ou l'échec de la signature de la transaction.  The authentication server 13 then notifies in a step 506 to the client 1 1 via its mobile phone 15 and the payment terminal 12 the success or failure of the signature of the transaction.
Dans une variante de cette troisième mise en œuvre, le serveur vérifie et valide les moyens de communication, de façon analogue à ce qui a été décrit pour la première mise en œuvre,  In a variant of this third implementation, the server verifies and validates the communication means, in a manner similar to that described for the first implementation,
Dans une autre variante, le serveur scinde le mot de passe sonique en multiples segments et les envoie sur les différentes voies de communication validées, de façon analogue à ce qui a été décrit pour la seconde mise en œuvre du procédé. Dans toute la description qui précède, il a été fait référence à une transaction de type paiement d'un achat. Il est clair que le procédé selon l'invention s'applique plus largement à tout type d'authentification en champ proche, permettant à deux terminaux de communiquer de façon sécurisée. In another variant, the server splits the sonic password into multiple segments and sends them on the various validated communication channels, in a manner similar to that described for the second implementation of the method. Throughout the foregoing description, reference has been made to a purchase payment type transaction. It is clear that the method according to the invention applies more broadly to any type of near-field authentication, allowing two terminals to communicate in a secure manner.
L'invention peut faire l'objet de nombreuses variantes et modes de réalisation par rapport aux seuls modes de réalisation décrits ci-dessus et représentés sur les dessins. En particulier, l'invention peut être appliquée avec un très grand nombre de catégories différentes de terminaux. En particulier, avantageusement et selon l'invention chaque terminal mobile est choisi dans le groupe formé des téléphones mobiles (cellulaires portatifs ou par satellite portatifs), des ordiphones (téléphones cellulaires informatiques portatifs, dits « smartphones » en anglais), des tablettes tactiles informatiques portatives, des ordinateurs portables, des terminaux de paiement électronique (TPE). Il est à noter en particulier que l'invention permet de sécuriser et d'authentifier une communication entre des terminaux mobiles extrêmement simples, en particulier lorsque l'un au moins d'entre eux est un simple téléphone mobile cellulaire portatif de type GSM (et non un ordiphone (téléphone mobile (portatif cellulaire) informatique, (doté de moyens de traitement de données numériques)), ou lorsque tous les terminaux sont de simples téléphones mobiles cellulaires portatifs de type GSM. L'invention permet donc de sécuriser et d'authentifier des communications dans les régions du monde non (ou peu) équipées d'ordiphones et de réseaux (UMTS, LTE, 3G, 4G...) permettant l'exploitation de ces ordiphones.  The invention may be subject to numerous variants and embodiments with respect to the only embodiments described above and shown in the drawings. In particular, the invention can be applied with a very large number of different categories of terminals. In particular, advantageously and according to the invention each mobile terminal is chosen from the group consisting of mobile telephones (portable or portable satellite phones), smartphones (portable computer cellular phones, so-called "smartphones" in English), computer touch tablets. portable computers, laptops, electronic payment terminals (EPTs). It should be noted in particular that the invention makes it possible to secure and authenticate communication between extremely simple mobile terminals, in particular when at least one of them is a simple GSM-type portable mobile telephone (and not an ordiphone (mobile phone (cell phone) computer (equipped with digital data processing means)), or when all the terminals are simple mobile cellular mobile phones type GSM, the invention thus makes it possible to secure and to authenticate communications in regions of the world that are not (or little) equipped with computers and networks (UMTS, LTE, 3G, 4G ...) allowing the exploitation of these devices.

Claims

REVENDICATIONS
M - Procédé d'authentification de transaction entre deux utilisateurs dudit procédé, un premier utilisateur étant doté d'un premier terminal mobile, un second utilisateur étant doté d'un second terminal mobile, au moins un de ces terminaux mobiles (1 2, 1 5) comportant des moyens d'émettre un signal en bande audio, et au moins l'autre terminal mobile comportant des moyens de recevoir un signal audio, ledit procédé comportant des étapes dans lesquelles :  M - a transaction authentication method between two users of said method, a first user being provided with a first mobile terminal, a second user being provided with a second mobile terminal, at least one of these mobile terminals (1 2, 1 5) comprising means for transmitting an audio band signal, and at least the other mobile terminal having means for receiving an audio signal, said method comprising steps in which:
- un mot de passe à usage unique est généré par un serveur d'authentification (1 3) à la demande d'un des deux utilisateurs,  a one-time password is generated by an authentication server (1 3) at the request of one of the two users,
- ledit mot de passe à usage unique est transmis, via un réseau de communication, à destination d'un terminal mobile associé à un des utilisateurs,  said one-time password is transmitted, via a communication network, to a mobile terminal associated with one of the users,
- ledit mot de passe à usage unique est codé sous forme d'au moins un message sonique et/ou ultrasonique comportant au moins une partie du mot de passe à usage unique codée sous forme de sons et/ou d'ultrasons dans une bande de fréquences compatible avec une réception par un téléphone mobile,  said one-time password is coded in the form of at least one sonic and / or ultrasonic message comprising at least part of the single-use password coded in the form of sounds and / or ultrasound in a band of frequencies compatible with reception by a mobile phone,
- chaque message sonique et/ou ultrasonique est émis par un terminal mobile et écouté par l'autre terminal mobile,  each sonic and / or ultrasonic message is transmitted by a mobile terminal and listened to by the other mobile terminal,
- chaque message sonique et/ou ultrasonique reçu par un terminal mobile est retransmis par le terminal mobile à destination du serveur d'authentification (1 3) pour comparaison avec un message attendu et pour validation,  each sonic and / or ultrasonic message received by a mobile terminal is retransmitted by the mobile terminal to the authentication server (1 3) for comparison with an expected message and for validation,
caractérisé en ce que : characterized in that
- le mot de passe à usage unique est coupé en au moins deux segments envoyés à l'un (1 2) au moins des terminaux mobiles,  - the one-time password is cut into at least two segments sent to at least one (1 2) of the mobile terminals,
- les messages soniques et/ou ultrasoniques correspondant aux segments de mot de passe à usage unique sont échangés par voie sonique et/ou ultrasonique entre les terminaux mobiles (1 2, 1 5),  the sonic and / or ultrasonic messages corresponding to the one-time password segments are exchanged sonically and / or ultrasonically between the mobile terminals (1 2, 1 5),
- le serveur d'authentification (1 3) reçoit les messages soniques et/ou ultrasoniques correspondant aux segments de mot de passe à usage unique de la part des terminaux mobiles, les décode pour en extraire les segments, et compare le message une fois reconstitué avec ledit mot de passe à usage unique pour validation. the authentication server (1 3) receives the sonic and / or ultrasonic messages corresponding to the single-use password segments from the mobile terminals, decodes them to extract the same segments, and compares the message once reconstituted with said one-time password for validation.
21 - Procédé selon la revendication 1 , caractérisé en ce que le serveur d'authentification (1 3) coupe le mot de passe à usage unique en au moins deux segments et envoie ces segments à l'un (1 2) au moins des terminaux mobiles.  21 - Method according to claim 1, characterized in that the authentication server (1 3) cuts the one-time password in at least two segments and sends these segments to one (1 2) at least the terminals mobile.
3/ - Procédé selon l'une des revendications 1 ou 2, caractérisé en ce qu'au moins une partie des segments du mot de passe à usage unique est codée en messages soniques et/ou ultrasoniques au niveau du serveur d'authentification (1 3) avant transmission aux terminaux mobiles.  3 / - Method according to one of claims 1 or 2, characterized in that at least a portion of the segments of the one-time password is encoded in sonic and / or ultrasonic messages at the authentication server (1 3) before transmission to mobile terminals.
4/ - Procédé selon l'une des revendications 1 à 3, caractérisé en ce qu'au moins une partie des segments du mot de passe à usage unique est codée en messages soniques et/ou ultrasoniques au niveau d'au moins un terminal mobile.  4 / - Method according to one of claims 1 to 3, characterized in that at least a portion of the segments of the one-time password is encoded in sonic and / or ultrasonic messages at at least one mobile terminal .
5/ - Procédé selon l'une des revendications 1 à 4, caractérisé en ce que les deux terminaux mobiles (1 2, 1 5) étant capables d'émettre et de recevoir des messages soniques et/ou ultrasoniques, le serveur d'authentification (1 3) envoie au moins un segment du mot de passe à usage unique à l'un (1 2) des terminaux mobiles, et au moins un autre segment du mot de passe à usage unique à l'autre (1 5) des terminaux mobiles,  5 / - Method according to one of claims 1 to 4, characterized in that the two mobile terminals (1 2, 1 5) being capable of transmitting and receiving sonic and / or ultrasonic messages, the authentication server (1 3) sends at least one segment of the one-time password to one (1 2) of the mobile terminals, and at least one other segment of the one-time password to the other (1 5) of the mobile terminals,
- les terminaux mobiles (1 2, 15) émettent des messages soniques et/ou ultrasoniques correspondant à chaque segment de mot de passe qu'ils ont reçu du serveur d'authentification (1 3),  the mobile terminals (1 2, 15) transmit sonic and / or ultrasonic messages corresponding to each password segment that they have received from the authentication server (1 3),
- les terminaux mobiles (1 2, 15) écoutent lesdits messages soniques et/ou ultrasoniques et les transmettent au serveur d'authentification (1 3),  the mobile terminals (1 2, 15) listen to said sonic and / or ultrasonic messages and transmit them to the authentication server (1 3),
- le serveur d'authentification (1 3) reçoit les messages soniques et/ou ultrasoniques de la part des terminaux mobiles, les décode pour en extraire les segments et reconstituer un message avec ces segments, et compare le message reconstitué avec ledit mot de passe à usage unique pour validation.  the authentication server (1 3) receives the sonic and / or ultrasonic messages from the mobile terminals, decodes them to extract the segments and reconstruct a message with these segments, and compares the reconstituted message with said password single use for validation.
6/ - Procédé selon la revendication 5, caractérisé en ce qu'il comporte une étape de vérification et validation des canaux de communication soniques et/ou ultrasoniques entre les deux terminaux mobiles (12, 15) avant d'envoyer les dits segments aux terminaux mobiles. 6 / - Method according to claim 5, characterized in that it comprises a step of verification and validation of the channels of sonic and / or ultrasonic communication between the two mobile terminals (12, 15) before sending said segments to the mobile terminals.
71 - Procédé selon l'une quelconque des revendications 1 à 6, le second terminal mobile (15), de type téléphone mobile, dit "téléphone mobile du client", étant supposé doté d'une application logicielle adaptée à transformer un message reçu d'un serveur dit serveur d'authentification (13) en message sonique, et le premier terminal mobile (12), dit "terminal de paiement du commerçant" étant supposé doté de moyens d'écouter un message sonique et/ou ultrasonique et de le retransmettre à destination du serveur d'authentification (13),  71 - A method according to any one of claims 1 to 6, the second mobile terminal (15) of the mobile phone type, called "mobile phone of the client", is supposed to have a software application adapted to transform a message received d a server said authentication server (13) sonic message, and the first mobile terminal (12), said "merchant payment terminal" being assumed to have means to listen to a sonic message and / or ultrasonic and the retransmit to the authentication server (13),
caractérisé en ce qu'il comporte notamment des étapes suivantes : characterized in that it comprises in particular the following steps:
- étape 301 : le terminal de paiement (12) émet une demande d'autorisation de transaction à destination du serveur d'authentification (13),  step 301: the payment terminal (12) sends a transaction authorization request to the authentication server (13),
- étape 302 : le serveur d'authentification (13) vérifie les moyens de communication soniques et/ou ultrasoniques existant entre le terminal de paiement (12) et le téléphone mobile (15) du client (1 1 ),  step 302: the authentication server (13) checks the sonic and / or ultrasonic communication means existing between the payment terminal (12) and the mobile telephone (15) of the client (1 1),
- étape 303 : dans le cas où les deux terminaux mobiles (12, 15) sont capables d'émettre et de recevoir des messages soniques et/ou ultrasoniques, le serveur d'authentification (13) obtient un mot de passe à usage unique, puis coupe alors ce mot de passe en au moins deux segments, et envoie au moins un segment au terminal de paiement (12), et au moins un autre segment au téléphone mobile (15) du client,  step 303: in the case where the two mobile terminals (12, 15) are capable of transmitting and receiving sonic and / or ultrasonic messages, the authentication server (13) obtains a one-time password, then cuts this password into at least two segments, and sends at least one segment to the payment terminal (12), and at least one other segment to the mobile phone (15) of the customer,
- le terminal de paiement (12) et le téléphone mobile (15) émettent des messages soniques et/ou ultrasoniques correspondant à chaque segment de mot de passe qu'ils ont reçu du serveur d'authentification (13),  the payment terminal (12) and the mobile telephone (15) transmit sonic and / or ultrasonic messages corresponding to each password segment that they have received from the authentication server (13),
- étape 304 : le téléphone mobile (15) du client et le terminal de paiement (12) écoutent lesdits messages soniques et/ou ultrasoniques et les enregistrent, puis transmettent ces enregistrements au serveur d'authentification (13),  step 304: the mobile telephone (15) of the client and the payment terminal (12) listen to said sonic and / or ultrasonic messages and record them, then transmit these records to the authentication server (13),
- étape 305 : le serveur d'authentification (13) reçoit les enregistrements des messages soniques et/ou ultrasoniques de la part du téléphone mobile (15) du client et du terminal de paiement (12), décode ces messages soniques et/ou ultrasoniques pour en extraire les segments et reconstituer un message avec ces segments, et compare ce message reconstitué avec le mot de passe original pour validation. step 305: the authentication server (13) receives the recordings of the sonic and / or ultrasonic messages from the mobile phone (15) of the customer and the payment terminal (12), decodes these sonic and / or ultrasonic messages to extract the segments and reconstruct a message with these segments, and compares this reconstituted message with the original password for validation .
8/ - Procédé selon l'une quelconque des revendications 1 à 6, le second terminal mobile, de type téléphone mobile, dit "téléphone mobile du client", étant doté d'une application logicielle adaptée à transformer un message reçu d'un serveur d'authentification (13) associé au générateur d'authentification, dit "serveur d'authentification ", en message sonique et/ou ultrasonique, le premier terminal mobile (12), dit "terminal de paiement du commerçant" étant doté de moyens d'écouter un message sonique et/ou ultrasonique et de le retransmettre à destination du serveur d'authentification (13), ledit serveur d'authentification étant doté de moyens de générer un mot de passe à usage unique,  8 / - Method according to any one of claims 1 to 6, the second mobile terminal, mobile phone type, said "mobile phone customer", being provided with a software application adapted to transform a message received from a server authentication device (13) associated with the authentication generator, called "authentication server", in sonic and / or ultrasonic message, the first mobile terminal (12), called "payment terminal of the merchant" being provided with means of authentication. listening to a sonic and / or ultrasonic message and retransmitting it to the authentication server (13), said authentication server being provided with means for generating a one-time password,
caractérisé en ce qu'il comporte notamment des étapes suivantes : characterized in that it comprises in particular the following steps:
- étape 401 : un premier terminal mobile, dit "terminal de paiement" (12) émet une demande d'autorisation de transaction à destination du serveur d'authentification (13) et initialise la transaction,  step 401: a first mobile terminal, called a "payment terminal" (12), issues a transaction authorization request to the authentication server (13) and initiates the transaction,
- étape 402 : le terminal de paiement (12) vérifie les moyens de communication soniques et/ou ultrasoniques existants entre le terminal de paiement (12) du commerçant et le téléphone mobile (15) du client,  step 402: the payment terminal (12) checks the existing sonic and / or ultrasonic communication means between the payment terminal (12) of the merchant and the mobile telephone (15) of the customer,
- étape 403 : dans le cas favorable, le terminal de paiement (12) coupe le mot de passe à usage unique généré par le serveur d'authentification (13) en au moins deux segments, envoie au moins un segment au téléphone mobile (15) du client par l'intermédiaire du serveur d'authentification (13), et au moins un autre segment par voie sonique et/ou ultrasonique,  step 403: in the favorable case, the payment terminal (12) cuts the one-time password generated by the authentication server (13) into at least two segments, sends at least one segment to the mobile telephone (15). ) of the client via the authentication server (13), and at least one other segment by sonic and / or ultrasonic means,
- étape 404 : le téléphone mobile (15) du client écoute le message sonique et/ou ultrasonique reçu du terminal de paiement et l'enregistre, puis transmet cet enregistrement au terminal de paiement (12) via ledit serveur d'authentification (13),  step 404: the mobile telephone (15) of the client listens to the sonic and / or ultrasonic message received from the payment terminal and saves it, then transmits this recording to the payment terminal (12) via said authentication server (13) ,
- étape 405 : le terminal de paiement (12) reçoit les informations de la part du téléphone mobile (15) du client, en extrait chaque segment, et compare le message une fois reconstitué avec le mot de passe à usage unique. step 405: the payment terminal (12) receives the information from the mobile phone (15) of the customer, extracts each segment, and compares the message once reconstituted with the one-time password.
9/ - Procédé selon la revendication 8, caractérisé en ce que, dans l'étape 404, une partie au moins de l'enregistrement et de chaque segment reçu du serveur d'authentification (13) est émise sous forme sonique et/ou ultrasonique par le téléphone mobile (15) du client vers le terminal de paiement (12)  9 / - Method according to claim 8, characterized in that, in step 404, at least part of the record and each segment received from the authentication server (13) is sent in sonic and / or ultrasonic form by the mobile phone (15) from the customer to the payment terminal (12)
10/ - Procédé selon l'une quelconque des revendications 1 à 9, caractérisé en ce qu'il comporte des étapes dans lesquelles :  10 / - Method according to any one of claims 1 to 9, characterized in that it comprises steps in which:
- un message d'authentification est généré par un serveur d'authentification (13) à la demande d'un des deux utilisateurs,  an authentication message is generated by an authentication server (13) at the request of one of the two users,
- ledit message d'authentification est transmis, via un réseau de communication, à destination d'un terminal mobile associé à un des utilisateurs,  said authentication message is transmitted, via a communication network, to a mobile terminal associated with one of the users,
- ledit message d'authentification est codé sous forme de message sonique et/ou ultrasonique comportant au moins une partie du message codée sous forme de sons et/ou d'ultrasons dans la bande de fréquences compatible avec une réception par un téléphone mobile classique,  said authentication message is encoded in the form of a sonic and / or ultrasonic message comprising at least part of the message encoded in the form of sounds and / or ultrasound in the frequency band compatible with reception by a conventional mobile telephone,
- ledit message sonique est émis par ledit terminal mobile et écouté par l'autre terminal mobile, associé à l'autre utilisateur,  said sonic message is sent by said mobile terminal and listened to by the other mobile terminal, associated with the other user,
- le message sonique et/ou ultrasonique reçu est retransmis par le second terminal mobile à destination du serveur d'authentification (13) pour comparaison avec le message attendu et pour validation.  the received sonic and / or ultrasonic message is retransmitted by the second mobile terminal to the authentication server (13) for comparison with the expected message and for validation.
PCT/FR2014/052176 2013-09-03 2014-09-03 Method for authenticating a transaction WO2015033061A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
FR1358428A FR3010214B1 (en) 2013-09-03 2013-09-03 TRANSACTION AUTHENTICATION METHOD
FR13.58428 2013-09-03
FR1456157A FR3023115B1 (en) 2014-06-30 2014-06-30 METHOD AND DEVICE FOR SECURELY TRANSMITTING A CONFIDENTIAL CODE BETWEEN TERMINALS
FR14.56157 2014-06-30

Publications (1)

Publication Number Publication Date
WO2015033061A1 true WO2015033061A1 (en) 2015-03-12

Family

ID=51655771

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/FR2014/052176 WO2015033061A1 (en) 2013-09-03 2014-09-03 Method for authenticating a transaction

Country Status (1)

Country Link
WO (1) WO2015033061A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3042892A1 (en) * 2015-10-26 2017-04-28 Sigfox PAYMENT CARD, SYSTEM AND METHOD FOR REMOTE PAYMENT IMPLEMENTING SAID PAYMENT CARD
WO2019165332A1 (en) * 2018-02-24 2019-08-29 Certus Technology Systems, Inc. User authentication of smart speaker system
US10623403B1 (en) 2018-03-22 2020-04-14 Pindrop Security, Inc. Leveraging multiple audio channels for authentication
US10665244B1 (en) 2018-03-22 2020-05-26 Pindrop Security, Inc. Leveraging multiple audio channels for authentication
US10873461B2 (en) 2017-07-13 2020-12-22 Pindrop Security, Inc. Zero-knowledge multiparty secure sharing of voiceprints

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110258121A1 (en) 2010-04-14 2011-10-20 Nokia Corporation Method and apparatus for providing automated payment
US20110270758A1 (en) * 2010-08-08 2011-11-03 Ali Mizani Oskui Method for providing electronic transaction using mobile phones
US20130151402A1 (en) * 2011-12-09 2013-06-13 Time Warner Cable Inc. Systems and methods for electronic payment using a mobile device for billing to a subscriber account
US20130159195A1 (en) * 2011-12-16 2013-06-20 Rawllin International Inc. Authentication of devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110258121A1 (en) 2010-04-14 2011-10-20 Nokia Corporation Method and apparatus for providing automated payment
US20110270758A1 (en) * 2010-08-08 2011-11-03 Ali Mizani Oskui Method for providing electronic transaction using mobile phones
US20130151402A1 (en) * 2011-12-09 2013-06-13 Time Warner Cable Inc. Systems and methods for electronic payment using a mobile device for billing to a subscriber account
US20130159195A1 (en) * 2011-12-16 2013-06-20 Rawllin International Inc. Authentication of devices

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR3042892A1 (en) * 2015-10-26 2017-04-28 Sigfox PAYMENT CARD, SYSTEM AND METHOD FOR REMOTE PAYMENT IMPLEMENTING SAID PAYMENT CARD
WO2017072443A1 (en) * 2015-10-26 2017-05-04 Sigfox Remote payment method and system using a payment card
US10873461B2 (en) 2017-07-13 2020-12-22 Pindrop Security, Inc. Zero-knowledge multiparty secure sharing of voiceprints
WO2019165332A1 (en) * 2018-02-24 2019-08-29 Certus Technology Systems, Inc. User authentication of smart speaker system
US10623403B1 (en) 2018-03-22 2020-04-14 Pindrop Security, Inc. Leveraging multiple audio channels for authentication
US10665244B1 (en) 2018-03-22 2020-05-26 Pindrop Security, Inc. Leveraging multiple audio channels for authentication

Similar Documents

Publication Publication Date Title
JP5805846B2 (en) Continuous voice authentication for mobile devices
US9313031B2 (en) Telephone caller authentication
CN108028001B (en) System and method for audio signal mediated interaction
WO2015033061A1 (en) Method for authenticating a transaction
EP2242229A1 (en) Method for authenticating a mobile client terminal with a remote server
EP1549011A1 (en) Communication method and system between a terminal and at least a communication device
EP1368930A2 (en) Cryptographic authentication with ephemeral modules
EP2619941A1 (en) Method, server and system for authentication of a person
CN106504745A (en) A kind of speech verification code system and its implementation method
EP2249543A2 (en) Method for authorising a connection between a computer terminal and a source server
WO2010023298A2 (en) Secure methods of transmitting and receiving data between terminals comprising means of near-field communication, and corresponding terminals
CN103955822A (en) Method for mobile payment by transmitting data through variable frequency sound waves
EP3959629A1 (en) Hardware authentication token with remote validation
EP1867189A1 (en) Secure communication between a data processing device and a security module
FR3010214A1 (en) TRANSACTION AUTHENTICATION METHOD
Caprolu et al. Short-range audio channels security: Survey of mechanisms, applications, and research challenges
WO2016001171A1 (en) Method and device for secure transmission of a confidential code between terminals
GB2510378A (en) Simultaneously providing caller ID information and encrypted caller ID information for Telephony caller authentication
EP1709827A1 (en) Method of securing a mobile telephone identifier and corresponding mobile telephone
FR3060247A1 (en) METHOD OF CUSTOMIZING SECURE TRANSACTION DURING RADIO COMMUNICATION
WO2016144806A2 (en) Digital voice signature of transactions
US10601820B2 (en) Method and apparatus to identify and authorize caller via ultrasound
WO2015107175A1 (en) Method of transmitting encrypted data, method of reception, devices and computer programs corresponding thereto
EP2897095B1 (en) Method for securing a transaction conducted by bank card
WO2021191546A1 (en) Method and device for supplying a terminal of a first user with a biometric signature of a second user

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14777697

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14777697

Country of ref document: EP

Kind code of ref document: A1