METHOD AND SYSTEM FOR MUTUAL AUTHENTICATION OF TWO FACTORS Background of the Invention Technological improvements have allowed businesses and individuals to participate in transactions in novel and expanding environments. For example, computer networks, such as the Internet and wireless networks, have allowed the exchange of information, for example, in financial transactions, using any electronic device that can communicate information through a computer network. With regard to financial transactions, consumers appreciate the convenience of making such transactions without having to visit a service provider directly. Accordingly, consumers can avoid the time they spend in driving, for example, to a retail location, a doctor's office, a bank and / or the like and the discomfort associated, for example, with purchases in a retail store. retail environment or wait in line at a bank or in a doctor's office, by conducting these transactions from the privacy of your home. Even though the use of the Internet to carry out transactions that have been done historically in person has risen substantially, one of the most important factors impeding a continuous expansion is the potential security problems posed by the performance of such transactions in an online environment. . Current systems for carrying out such transactions have inherent weaknesses in their security protocols. For example, these systems often use static keys. An unauthorized third party can obtain the static key by intercepting an electronic transaction and reverse engineering the data
of the transaction can determine the account information and the key contained therein. In addition, the user can have access to a service provider that can not be authenticated. For example, an Internet user who has the purpose of accessing a Web site from a service provider may have redirected data through an unauthorized Web site or may not intentionally access an unauthorized Web site that extracts information directly. in order to subsequently commit fraud. As such, the consumer may wish to authenticate the Web site they are accessing before providing sensitive or confidential information. Therefore, consumers and organizations have concerns regarding the possibility that a transaction made in an online environment could allow information to be taken without the consumer's authorization. What is required is a method and system to inhibit unauthorized access to online transactions. There is a need for a method and system that can safely perform an online transaction. There is a need for a method and system that allows a user to verify the authenticity of a particular location on the Internet such as, for example, the user's bank or a desired merchant before sending sensitive or confidential information to that location. There is also a need for a method and system for performing a two-factor mutual authentication between a user system and a host system to inhibit fraudulent access to online transactions. The present disclosure focuses on solving one or more of the problems mentioned above. Before describing the present methods, systems and materials, it must be understood that
this invention is not limited to the particular methodologies, systems and materials described, since these may vary. It will also be understood that the terminology used in the description is used for the purpose of describing particular versions or embodiments only and is not intended to limit the scope of the invention which will be limited only by the appended claims. It should also be noted that, as used herein and in the appended claims, the singular forms "a", "an", "the" and "the" include plural references unless the context clearly dictates otherwise. Therefore, for example, the reference to a "user" is a reference to one or more of. the parties or locations involved in any exchange of value, data and / or information. Unless expressly indicated otherwise, all the technical and scientific terms not defined herein have the same meanings as those commonly understood by a person with ordinary knowledge in the field, while all technical and scientific terms defined shall include the same meaning that the meaning usually understood by a person with ordinary knowledge in the matter with the established definition. Even when any method, material and device similar or equivalent to those described herein can be used, the preferred methods, materials and devices are described below. All publications mentioned here are incorporated by reference. Nothing here should be considered as recognition that the invention has no right to precede said disclosure by virtue of prior invention. In one embodiment, a method for effecting a secure transaction through a communication network may include the receipt of an account identifier and a one-time password from a user system through a communication network, determining If the one-time password is valid, transmit a message
Personal authentication to the user system through the communication network if the one-time password is valid. The personal authentication message is a user-known information that allows the user to verify the authentication of the site. If the user confirms the personal authentication message, a password is received from the user system through the communication network, a determination is made in the sense of yes or no, the password is valid and a secure transaction is made if the password It is valid. In one embodiment, a system for effecting a secure transaction can include a user system, a communication network in operational communication with the user system, and a service provider system in operational communication with the communication network. The user system may transmit an account identifier and a one-time use code to the service provider system through the communication network. The service provider system can determine whether or not the one-time password is valid and can transmit a personal authentication message to the user system through the communication network if the one-time password is valid. The user system can determine whether or not the personal authentication message is valid and can transmit a password to the service provider system through the communication network if the personal authentication message is valid. The service provider system can determine whether or not the password is valid. If the password is valid, the user system and the service provider system can make a transaction through the communication network. BRIEF DESCRIPTION OF THE DRAWINGS Aspects, characteristics, benefits and advantages of the embodiments of the present invention will be apparent in relation to the following description, claims
Attachments and annexed drawings in which: Figure 1 represents a flowchart of an example method for effecting a secure electronic commerce transaction through a communication network in accordance with a modality. Figure 2 illustrates a flow diagram of an example method for effecting a secure financial transaction through a communication network in accordance with a modality. Figure 3 illustrates a flow chart of an exemplary method for effecting a secure health services transaction through a communication network in accordance with a modality. Figure 4 illustrates an example system for effecting a secure transaction in accordance with a modality. Detailed Description of the Invention A two-factor mutual authentication can use, for example, a one-time password and a personal authentication message to allow each part of a transaction to verify the other party. For example, a user may submit a one-time password to initiate the formation of a secure transaction connection. The key can be verifiable by the receiver to make sure that the user has access to a one-time key generator. If verified, the recipient can transmit a personal authentication message to the user. The personal authentication message may allow the user to verify that the recipient is authentic. In this way, each party in a remote transaction can verify that the other party is identifiable. A transaction can be, for example, any exchange of data in relation to electronic commerce, online banking, provision of health services and / or any similar exchange of data. The transaction may result in money transfer,
loyalty points and / or other units of commerce from one party to the other in exchange for a corresponding product or service. Alternatively, the transaction may result in the transfer of funds from one account to another account in one or more banking systems. The transaction may result in the transfer of inferior health care or services to a particular person. In the same way, other transactions may result in the transfer of similar types of data, money, products and / or services. A transaction, such as e-commerce, online banking, health services and / or other transactions, can be initiated using, for example, account information. The account information can be an account number and the account holder for a credit card, debit card, smart card, stored value card, ATM card, bank account, or insurance and / or any other alphanumeric identifier. The transaction may also include a one-time key that may be generated by the transaction card and / or a related device. Figure 1 shows a flow diagram of an example method for effecting a secure electronic commerce transaction through a communication network in accordance with a modality. Prior to the steps shown in Figure 1, a user can browse a website of a merchant for products and / or services. When selecting products and / or services for acquisition, the user can initiate a transaction by paying account 105 on the merchant's website. For example, the user can select a "purchase" or "payment" button provided by the merchant's website. Payment may include the selection of a mode of payment by the user, confirmation of purchased items, identification of shipping and / or billing addresses, and / or other requests for payment.
similar information. When the user selects a transaction card as a mode of payment, a payment web page 110, for example, can be accessed in order to initiate a secure payment. Preferably, the payment web page 110 can be totally controlled by the issuer of the transaction card thus allowing the user to connect directly with the issuer in order to eliminate the possibility of security breaches in the exchange of data with the merchant. On the initial payment page, the user can be encouraged to enter 115 an account number. In one mode, the account number may include a credit card account number, a debit card account number, a stored value card account number, a financial account number and / or an account number Similary. The account number may be, without limitation, an alphanumeric identifier indicating a particular account and / or a particular user, or any other alphanumeric identifier. The user can also be encouraged to enter 120 a one-time password. In one embodiment, the one-time key can be generated by a single-use key generator, such as a transaction-driven card and / or a similar device with a microprocessor capable of generating a key of compliance with agreed protocols. . The one-time password can change on a periodic basis, such as every minute, every hour, or the like. In one embodiment, the one-time password can be calculated using a time stamp. In an alternative mode, the one-time-use key can be calculated based on a number of successful transactions that have been previously made using the transaction card. Additional methods of calculating the one-time key can also be used within the scope of the disclosure and
they will be apparent to people with ordinary knowledge in the field. In one embodiment, the one-use key may be an apparently random alphanumeric identifier calculated according to an algorithm implemented in a single-use key generator. In each of these modalities, the single-use key can be generated in a known manner by the issuer. In one embodiment, the one-time key generator can communicate the one-time password to the user through an output device. For example, the one-time password can be displayed on a screen and / or announced through a speaker in order to inform the user of the one-time password. . . · | | · -.-The one-time password can be entered using a user system to perform the electronic commerce transaction. In a modality, the user can enter the one-time password through a user interface. In an alternative mode, the one-time password can be entered using electronic means, such as a data port connected to the user system. In such a mode, the one-time password may not be displayed and / or announced to the user and / or the single-use key generator may not have a screen and / or a speaker. The account number and the single-use key can then be transmitted 125, either jointly or separately, to the issuer system through a communication network. In one embodiment, the communication network can be the Internet, an Intranet and / or the like. In one embodiment, the transmission can be made through a secure network connection. In an alternative mode, the transmission can be made through an unsecured network connection. The single-use key received in the sender's system from the user will then be compared with a key generated independently of the system of the sender.
transmitter. The sender can use substantially similar protocols to generate the key generated per sender as used by the device. For example, the sender's system can determine the algorithm used to produce the one-time key, for example, based on the account number. Alternatively, the algorithm may be agreed in advance by the user and the issuer system. In one embodiment, the received one-time key can be verified 130 by comparing it with an expected key value for the current time frame and one or more key values for previous time frames. Such a modality may allow the sender to verify 130 the one-time use key received even if the expected value of the one-time key changes during the course of the transaction. If the key received from the user is not verified, the issuer's system may for example terminate the transaction since the user has not been authenticated for the sender. If the key received from the user is verified, the account number can be used to retrieve a personal authentication message stored in the sender's system. The personal authentication message may include, for example, a digital image, a video stream, an alphanumeric sequence, a sound file and / or the like. The user can provide the personal authentication message to the issuer before the transaction, such as at the time of account formation. The personal authentication message may be transmitted 145 to the user system, which may allow the user to see, hear and / or otherwise understand the personal authentication message. The user can then determine 150 if the personal authentication message is correct. If the personal authentication message is not correct, the user can recognize that the website for purchase is not authentic and that the
transaction has been compromised. Accordingly, the user can complete the transaction before entering sensitive or confidential information. It is important to note that by terminating the transaction at this stage, the user can be protected against fraudulent use of the user's account since the password that allows the use of the account has not yet been entered and since the password a single use is not usable for future transactions. If the personal authentication message is correct, the user can enter 160 a password, which allows the account to be used for the particular transaction. The password can be transmitted to the sender's system. The sender's system may be to determine 165 if the password is valid. If the password is valid, the user system and the issuer system can initiate 170 a secure transaction using the particular account. Figure 2 presents a flow chart of an example method for securely accessing a financial account or other location, in a communication network in accordance with a modality. For example, a modality may include a method for a user to access a website of a financial institution in a secure manner and also allows the sensitive information of the user to be provided to the financial institution as opposed to being provided to a third party. pretending to be the financial institution. The process can be initiated when the user accesses 205 a Web page of connection for the financial institution. A financial institution can include a bank, a brokerage house, an investment organization in securities, and the like. In the connection Web page, the user can be encouraged to enter 210 an identifier. He can include a username, an account number, and / or
any other alphanumeric identifier. The user can also be encouraged to enter 215 a one-time password. In one embodiment, the single-use key can be generated by a single-use key generator, such as an activated transaction card and a similar device with a microprocessor capable of generating a key in accordance with agreed protocols. The one-time password can change periodically, such as every minute, every hour, or the like. In one embodiment, the one-time password can be calculated using a time stamp. In an alternative modality, the one-time password can be calculated based on a number of successful transactions that have been previously made using the transaction card. Additional methods of calculating the one-use key may also be employed within the scope of the present disclosure and will be apparent to those of ordinary skill in the art. In one embodiment, the one-use key may be an apparently random alphanumeric identifier calculated in accordance with an algorithm implemented in a single-use key generator. In each modality of this type, the single-use key can be generated in a manner known to the financial institution. In one embodiment, the one-time key generator can communicate the one-time password to the user through an output device. For example, the one-time password can be displayed on a screen and / or announced through a speaker to inform the user of the one-time password. The one-time password can be entered 215 using a user system to carry out the transaction. In a modality, the user can enter the one-time password through a user interface. In an alternative mode, the key to
a single use can be entered using electronic means such as a data port connected to the user system. In such a mode, the one-time password may not be displayed or advertised to the user and / or the single-use key generator may not have a screen or a speaker. The account number and the one-time password can then be transmitted 220, either jointly or separately, to the system of the financial institution through a communication network. In one embodiment, the communication network can be the Internet, an Intranet and / or the like. In one embodiment, the transmission can be made through a secure network connection. In an alternative mode,; the transmission can be made through an unsecured network connection. The single-use key received in the financial institution system from the user will then be compared with a key generated independently by the financial institution system. In the independent generation of the key, the financial institution system can use substantially similar protocols for the generation of the key to the protocol used by the user. For example, the financial institution system can determine the algorithm used to produce the one-use key for example based on the identifier. Alternatively, the algorithm can be agreed in advance by the user and the financial institution system. In one embodiment, the received one-time key can be verified 225 by comparing it with an expected key value for the current time frame and one or more key values for previous time frames. Such a modality may allow the financial institution to verify the one-time use key received even if the expected value of a single key changes during the course of the transaction. If the key received from the user is not verified, the financial institution system can, for example, prohibit access
to the site of the financial institution 230. If the key received from the user is verified, the identifier can be used to retrieve a personal authentication message stored in the system of the financial institution. The personal authentication message may include, for example, a video image, a video stream, an alphanumeric sequence, a sound file and / or the like. The user can provide the personal authentication message to the financial institution before the transaction, such as when the account is formed. The personal authentication message may be transmitted 240 to the user system, which may allow the user to see, hear and / or otherwise understand the personal authentication message. The user can then determine 245 if the personal authentication message is correct. If the personal authentication message is not correct, the user can recognize 250 that the website of the financial institution is not authentic and / or that the transaction has been compromised. Accordingly, the user may terminate the attempt to access the financial institution's site before entering sensitive or confidential information. Importantly, by terminating the effort to access the financial institution's site at this stage, the user may be protected from attempts to fraudulently obtain the user's required information to access the location since the user's password, which is necessary to obtain such access, has not yet been entered and since the single-use key can not be used for future attempts. If the personal authentication message is correct, the user can enter 255 a password that allows access to the user's account located in the financial institution system. The password can be transmitted to the financial institution system. The financial institution system can determine 260 if the password
It is valid. If the password is valid, the user is allowed access to the system of the financial institution 265. Although described with reference to a system of financial institution, a person with ordinary knowledge in the matter will understand that the description above is also applicable to any other type of service provider that may require restricted or secure access to your site. Figure 3 shows a flow chart of an exemplary method for effecting a secure health services transaction in a communication network in accordance with a modality. The user can initiate a health service transaction by accessing a connection Web page for a health service provider. A health care provider may include a doctor's office, an insurance provider, a hospital, a clinic and / or the like. On the connection page, the user can be encouraged to enter 310 an identifier. The identifier may include a user name, an account number and / or any other alphanumeric identifier. The user can also be encouraged to enter 315 a one-time password. In one embodiment, a single-use key generator, such as an activated transaction card and / or a similar device with a microprocessor capable of generating a key in accordance with agreed protocols, can determine the one-time key. The one-time password can change on a periodic basis, such as every minute, hourly or similar. In one embodiment, the one-time password can be calculated using a time stamp. In an alternative mode, the key can be calculated based on a number of successful transactions that have been previously made using the transaction card. Additional methods of calculating the key of a
they can also be used only within the scope of this disclosure and will be apparent to those of ordinary skill in the art. In a modality, the one-use key may be an apparently random alphanumeric identifier calculated in accordance with an algorithm implemented in the one-time key generator. In each modality of this type, the key can be generated in a manner known to the health service provider. In one embodiment, the one-time key generator can communicate the key to the user through an output device. For example, the one-time password can be displayed on a screen and / or announced through a speaker to inform the user in relation to the password. The one-time password can be entered 315 using a user system to carry out a health services transaction. In a modality, the user can enter the one-time password through a user interface. In an alternative mode, the one-time password can be entered using electronic means such as a data port connected to the user system. In such a modality, the one-time key can not be displayed or announced to the user and / or the single-use key generator can not have a display and / or a speaker. The account number and the single-use key can then be transmitted 320, either jointly or separately, to the health service provider system through a communication network. In one embodiment, the communication network can be the Internet, an Intranet and / or the like. In one embodiment, the transmission can be made through a secure network connection. In an alternative mode, the transmission can be made through an unsecured network connection. The single-use key received in the health service provider system
The user will then be compared with a key generated independently by the health service provider system. In the independent generation of the key, the health service provider system can use protocols substantially similar to the protocols used to generate the key as used by the user. For example, the health service provider system can determine the algorithm used to produce the one-use key for example based on the identifier. Alternatively, the algorithm can be agreed in advance by the user and the health service provider system. In one modality, the one-time received key can be; checked 325 by comparing it with an expected key value for the current time frame and one or more key values for previous time frames. Such a modality may allow the health service provider to verify the received one-time use key even if the expected value of the one-time use key changes during the course of the transaction. If the key is not verified, the health service provider system, for example, may terminate the transaction. If the key received from the user is verified, the identifier can be used to retrieve 335 a personal authentication message stored in the health service provider system. The personal authentication message may include, for example, a digital image, a video stream, an alphanumeric sequence, a sound file and / or the like. The user can provide the personal authentication message to the health service provider before the transaction, such as when the account is formed. The personal authentication message may be transmitted to the user system which may allow the user to see, hear and / or otherwise understand the personal authentication message. The user can then determine 345 if the personal message of
Authentication is correct. If the personal authentication message is not correct, the user can recognize that the website of the health service provider is not authentic and / or that the transaction has been compromised. Accordingly, the user can complete the transaction before entering sensitive or confidential information. Importantly, by terminating the transaction at this stage, the user may be protected from attempts to fraudulently obtain the information required to access the user's health services account and / or medical information since the user's password user, which is necessary for an access of this type has not yet been entered and since the one-time password can not be used for future attempts. If the personal authentication message is correct, the user can enter 355 a password that allows access to the health service provider system. The password can be transmitted to the health service provider system. The health service provider system can determine 360 if the password is valid. If the password is valid, the user has the right to access the 365 health service provider system. Additional and alternative modes that use processes similar to the processes described above can be used in various environments. Figure 4 presents an example system for carrying out a secure transaction in accordance with a modality. As shown in Figure 4, the system can include a single-use key generator 405, a user system 415, a communication network 440, and a service provider system 450. The single-key generator Use 405 may include, for example, a transaction card that has a processor that implements an algorithm to calculate a key. The calculated key can be unique for a particular transaction. In a
In this embodiment, the one-time key generator 405 may dynamically generate a key based for example on a time stamp and / or account information. A key can be retrieved alternately from a list of single-use keys. In one embodiment, such keys can be used in a particular order such that the service provider's system can verify a particular key. Other modalities are contemplated within the scope of the present disclosure. The one-time key generator 405 can provide the key to a user through an output device 410, such as a screen and / or a speaker. The user can then provide the key to the user system 415 through a user interface 425. Alternatively or additionally, the one-time key generator 405 can directly provide the key to the user system 410 through a port of output data (not illustrated). The user system 415 may include a processor 420, a user interface 425, an output device 430 and a communication interface 435. The user interface 425 may include a keyboard, a mouse, a tracking ball and / or any another input device for providing information to the processor 420 from a user. The output device 430 may include a screen, one or more horns or the like to provide information to the user. The communication interface 435 may allow communication between the user system 415 and the communication network 440. In one embodiment, the user system 415 may further include an input data port (not shown) for directly receiving information from the generator single use keys 405. The communication network 440 can be a network of computers, such as the Internet, an intranet and / or the like, to pass information between systems of communication.
remote computers. The communication network 440 may be in operative communication with each of the user system 415 and service provider system 450 through respective communication interfaces 435 and 465. The service provider system 450 may include a processor 455, a storage means 460 and communication interface 465. Processor 455 can receive information from communication network 440 through communication interface 465. Information received can include account information and a key received from a user system 415 The 455 processor can compare the received key with an expected key to determine whether or not it authenticates "1 user providing the key. If the user is authenticated, the processor 455 can retrieve a personal authentication message from the storage means 460. The processor 455 can then transmit the personal authentication message to the user system 415 through the communication network 440. Upon receipt, the processor 420 of the user system 415 or the user, for example through the user interface 425, can use the personal authentication message to authenticate the service provider system 450. If the service provider system 450 is authenticated , the user can enter a password in the user system 415 and start the transaction. It will be noted that several of the features and functions disclosed above as well as other features and functions or alternatives thereof may be desirably combined in many other systems or different applications. It will also be noted that various alternatives, modifications, variations or improvements currently not anticipated or not foreseen may be subsequently developed by persons with knowledge in the field.