RU2780029C1 - Method for identification of an online user and his device - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: invention relates to the field of information technology. The expected result is achieved by determining and confirming of the unique identifier of the user and his device by the identification service each time an online user accesses online data transmission services after the initial identification of the online user in the mobile network of the mobile operator. At the same time, with indirect access of the online user to the mobile network, the presence of a unique composite identification key on the online user’s device is additionally checked, the relevance of the bundle of their own hardware device identifier provided by the device manufacturer and stored on it, and the mobile subscriber number of the digital network with the integration of communication services is checked.

EFFECT: increase in the reliability of online user identification in the network, ensuring the security of access to information resources.

7 cl, 1 dwg

Description

The present invention relates to the field of information technology, namely to a method for identifying an online user and his device using unique hardware and subscriber identifiers, for example, by the number of a mobile subscriber of a digital network with integration of services for communication in GSM, UMTS, etc. (MSISDN) standards ) or a unique composite user device identification key (UCIK) that is associated with MSISDN in the Online Services when the online user's device is located on any data network, including indirect access to the mobile network, after the initial identification of the online user in the mobile network of the mobile operator (OSN).

Terms used in the text of the description of the invention.

1. Cellular communications (mobile network, mobile network / communications) - one of the types of continuous mobile radio communications subscriber moving in the same frequency range, which is based on a cellular network, the total coverage area of \u200b\u200bwhich is divided into cells (cells), determined by partially overlapping coverage areas of individual base stations (BS).

2. MSISDN (Mobile Subscriber Integrated Services Digital Number) - the number of a mobile subscriber of a digital network with integration of services for communication in GSM, UMTS, etc.

3. Applet (Applet) - a non-independent software component that works in the context of another, full-fledged application, designed for one narrow task and has no value in isolation from the base application.

4. SIM-card (Subscriber Identification Module) - the subscriber's identification electronic module used in mobile communications. It can be made as a separate component inserted into the communication device, or it can be found in the device by its hardware and software (electronic SIM card). The SIM card may be equipped with its own software including, but not limited to, its own Operating System, set of Applets, etc. Such software serves the purpose of performing additional functions, in particular those required for the implementation of the described Method.

5. ICCID (Integrated Circuit Card identifier) - a unique serial number of the SIM card.

6. IMSI (International Mobile Subscriber Identity) is an international mobile subscriber identifier (individual subscriber number) associated with each user of mobile communications of the GSM, UMTS or CDMA standard.

7. UHSI (Unique Hardware Subscriber Identifier) - a unique hardware user identifier, including, but not limited to, a cellular subscriber. The UHSI can be, in particular, but not limited to, IMSI or ICCID, as well as certificates in applications, the operating system, or identification keys on external hardware.

8. IMEI (International Mobile Equipment Identity) - an international mobile equipment identifier, usually unique, used to identify GSM, WCDMA and IDEN devices, as well as some satellite devices.

9. OCC (Operator of Cellular Communications) - a company that provides cellular services for cellular devices of its subscribers. OSS can be represented in terms of infrastructure as technically and legally separate providers of various functions included in cellular communications. Some providers may simultaneously perform the same functions (including, but not limited to, storing the MSISDN registry, MSISDN, IMEI and IMSI bundles, sending hidden and regular SMS, locating user equipment), while being considered an integral part of the OSS.

10. UD (User's Device, or user device) - any arbitrary user software and hardware environment (including, but not limited to, a remote virtual OS) that ensures the correct operation of the claimed Method for identifying an online user and his device (hereinafter referred to as the Method) on the user side .

11. Storage - any container for writing/storing/reading/editing/deleting information in the UD that is technically acceptable for the operation of the described scheme. Including, but not limited to, browser cookies or storage, the application's internal cache.

12. Data - a reusable presentation of information in a formalized form suitable for transmission, communication or processing, which is operated by information systems and their users.

13. Metadata - information about other information, or data relating to additional information about the content or object. Metadata reveals information about the features and properties that characterize any entities that allow you to automatically search and manage them in large information flows.

14. Network (Computer network, Computer network) - a system that provides data exchange between computing devices (computers, servers, routers and other equipment). Various media can be used to transfer information. Network examples - Internet, Intranet.

15. Online - the state of connection to the Network, allowing you to participate in its operation.

16. User - a person or organization that uses the Network to perform a specific function.

17. Server (Server) - a dedicated or specialized computer for the execution of service software.

18. Server software - a software component of a computing system that performs service (maintenance) functions at the request of the client, providing him with access to certain resources or services.

19. Client (Client) - a hardware and/or software component of a computing system that sends requests to the server.

20. Direct access to the mobile network - the direct connection of an online user to a cellular network without the possibility of changing data and metadata or mistakenly identifying one user as another.

21. Indirect access to the mobile network - access, technically carried out in such a way that allows the change of transmitted data and / or erroneous identification of one user as another. For example, provided from another intermediate device with mobile access and/or through invalid hardware, in particular, but not limited to, external GSM modems.

22. Internet - a worldwide system of interconnected computer networks for storing, processing and transmitting information. Referred to as the World Wide Web and the Global Network, as well as simply the Network. The Internet is based on the World Wide Web (WWW) and many other data transmission systems.

23. Intranet - Unlike the Internet, this is the internal private network of an organization or a large government department.

24. Web (WEB) - a system for accessing interconnected documents and files on various computers connected to the Web.

25. Page - any set of data in any technical terms that allows the Application to display the interface and software functionality necessary for the user to work correctly in the Application, including the components of the claimed Method.

26. Site - any software and hardware complex that provides services or information (including two-way information exchange) using WEB technology or other technology on the network. Represents one or more logically interconnected pages (most often, web pages); also the location of the server content. Typically, a site on the Web is an array of related data that has a unique address and is perceived by the user as a single entity. The site allows both displaying information and receiving it from the user for further processing, which may result in a change in the displayed information.

27. Code injection - embedding additional program code into the main page code (both before the page is loaded by the online user, and during its loading - “on the fly”), which allows you to expand the regular functionality of the page, in particular, to implement what is claimed in the Method functionality.

28. Browser (web browser) - application software for viewing pages, the content of documents, computer files and their directories; application management; as well as for other tasks. On the Web, browsers are used to request, process, manipulate and display the content of sites, exchange files with servers, as well as to directly view the content of files in graphic formats (gif, jpeg, png, svg), audio-video formats (mp3, mpeg), text formats (pdf, djvu) and other files.

29. Cookie - a small piece of data sent by the server and stored on the user's computer. The application (usually a web browser) sends this piece of data to the server as part of the request each time it tries to open a page on the corresponding site.

30. Data transfer protocol (hereinafter referred to as the protocol) is a set of logical-level interface agreements that determine the exchange of data between various programs. These conventions define a uniform way of transmitting messages and handling errors when software interacts with spaced hardware connected by one interface or another.

31. Secure protocol - a protocol that ensures that the transmitted data cannot be falsified by third parties.

32. Insecure protocol - a protocol that allows third parties to falsify transmitted data. In particular, it allows code injection - that is, the addition by intermediate communication nodes at the time of transmission to the transmitted data of their information, which is indistinguishable for the client from that originally transmitted by the server.

33. IS (Identification Service) - Identification Service that provides accurate identification of the client. All server and client software and hardware components of IS, if necessary, but not necessarily, can be partially or completely represented by software and hardware solutions of counterparties. In particular, the functions of determining MSISDN, injecting code (including, but not limited to, client module code) into data, sending hidden and regular SMS, checking the type of user access to the Network (direct or distributed by another online user, received through an external or through an internal GSM modem), receiving data from primary sources of information by additional identifiers of the user and his device (for example, IMEI, IMSI and MSISDN) can (but not necessarily) be performed by components created and / or placed in the OSS infrastructure or other software third party hardware infrastructures. All server components of IS can be partially and/or completely located in the infrastructure perimeter of counterparties on any type of server placement (including, but not limited to, on a single physical, virtual, linked physical or virtual servers, or cloud solutions). All client software components of IS can either be pre-installed in UD, or loaded there from the server part of IS. The interaction of the server and client parts, as well as their data exchange with third parties, takes place according to a secure protocol (except for cases requiring an insecure protocol). The acceptance condition for the server and client code is the possibility of technical reproduction of all the steps described in the Method, subject to the safety rules for the operation of the UD. IS includes:

a. client module (Client Module - CM) - program code on the user side, separately pre-embedded (or downloaded from the IS server) into the executable code of the Online Service, which does not affect the main functionality of the Online Service, but adds functionality for identifying an online user. CM can be updated "on the fly" both on the pages of the sites and in the Application during their operation.

b. server module (Server Module - SM) - a program code on the server side for performing data processing functions and the necessary data exchange between all components of the Method implementation infrastructure.

34. WebView - an operating system component that allows you to embed and view web pages in the Application (including, but not limited to, iOS, Android and Windows Phone platforms).

35. Online service - a third-party software and hardware solution for the sale/provision of information/goods/services on the Web. Implementation options:

a. Partner site (PtS) - a site included in the IS program and placed on its CM pages in any technically acceptable way.

b. Non-Partner Site (NPtS) - a site that is not included in the IS program and has not been placed on its CM pages in a technically acceptable way.

c. Application (APP) - Software for UD, acceptable implemented for participation in the described method (including, but not limited to, a mobile Application, made, in particular, but not only, using native code technology, SDK code with development in an IDE , as well as PWA and / or similar WEB technology, in particular, but not necessarily, using WebView components). The application can also be a built-in function or component of the operating system of the device.

d. WebView Application - An application that has the ability to display pages created using WEB technology within its main code without transferring them for display to an external browser.

36. NUDID (Native Unique Device Identifier) - the device's own hardware identifier provided by the device manufacturer and stored on it at the expense of the device's standard hardware and software (for example, IMEI).

37. SUDID (Service Unique Device Identifier) - a unique device identifier in SM, associated on the server side of IS with the user's own hardware device identifier (NUDID) and (if necessary) with other required user data, including identifiers in other data sources and accounting systems user.

38. UID (Unique User Identifier) - a unique user identifier in SM, associated on the server side of IS with MSISDN and other necessary user data, including identifiers (including, but not limited to, SNILS, TIN, social security number, Social network accounts, etc. .d.) in other data sources and user accounting systems.

39. UCIK (Unique Composite Identification Key) - a unique composite user and device identification key, including SUDID and UID, used to unambiguously identify the user and his device by the Online Service. UCIK can be single - running during one session and without writing / updating to the UD storage, as well as reusable (normal type) - with writing / updating to the UD storage.

40. UIKF (User's Identification Key Fingerprint) - a UCIK fingerprint generated in IS and allowing to uniquely distinguish the user on the side of the Online Service, but not to identify in IS. UIKF can be single - running during one session and without writing / updating to the UD storage, as well as reusable (normal type) - with writing / updating to the UD storage.

41. Session - a session of interaction between CM and SM within the scope of opening and closing the application (including the browser).

42. Hidden SMS message - this message is not displayed in the interface of the mobile device, and the user does not see it.

43. UCC (Unique Confirmation Code) - a unique confirmation code generated and sent from SM to the user's device and sent back by the user to verify that the user has performed a certain operation or data (in this case, determining the user's MSISDN).

The Internet provides users not only with the ability to search for the necessary information, but also other services and resources that have become an integral part of modern life.

In order to use the services of the online service, the user in most cases must go through the identification and authentication procedure.

There are various ways to identify online users. Indirect methods, such as cookies, IP address, etc., are not accurate enough. More reliable recognition of an online user, which is necessary, for example, when conducting financial transactions, requires additional actions from the user. The online user must register in the online service, provide reliable information about himself, confirm it, and indicate a unique personal identifier. When repeatedly accessing this online service, the user must pass authentication, in which online services usually require a password, PIN code, biometric data, etc. Such identification methods require certain hardware from the user, time spent on registering and updating information in online services, ensuring the safety of passwords, and the online service requires certain costs to store user data and ensure the confidentiality of this data.

The most relevant are reliable identification methods that do not require additional user actions, using unique hardware and subscriber identifiers inherent in the user and his device.

Known from the prior art is a Method for identifying a mobile user by third parties based on a subscriber identity module card (SIM card) and device-related parameters available in telecommunication networks, according to patent GB2573262 with priority dated 03/08/2018. The method consists of the following steps: - The mobile user tries to interact with the Application or access the website, the Application/website developer sends the mobile ID request to the external IPification server; The IPification server passes up to six mobile ID requests as API calls to the mobile operator's server, with each mobile ID request based on one of the following SIM/Device related inputs: IMSI, ICCID, IMEI, MSISDN, Private IP and public IP; - The mobile operator's server sends mobile identifiers back to the IPification server; wherein each of the mobile identifiers is generated in response to one of the mobile ID requests sent to the server of the mobile operator as input parameters, and wherein each mobile identifier is a unique alphanumeric identifier of a user who is a subscriber of mobile services provided by the operator mobile communication; - The IPification server checks if all mobile device identifiers received from the mobile operator's server are identical and, depending on the result of the check, reacts in two alternative ways: If the check result is positive, the IPification server provides a single mobile user identifier to the developer of the Application / website by itself authenticating the mobile user and allowing him to interact with the Application or access the website; - If the result of the check is negative, the IPification server provides the Application/website developer with information about the failed user authentication, and as a result, the user is not allowed to interact with the Application or access the website. The disadvantage of this method is that it is used only for mobile Internet, which significantly limits the user's capabilities in real circumstances, for example, when access to the Network is possible only through a wireless computer network WiFi.

Also known is the Method and device for a trans-browser login for a mobile terminal according to patent US2015220234 with priority dated 08/06/2015. The method includes creating a folder with a data fragment (cookie) in the memory module of the mobile device that generates cookies by correlating the addresses of various websites with the login name and password of the subscriber corresponding to the various websites and the international mobile device identifier (IMEI). The website server stores the IMEI number of the mobile device under the login name corresponding to the subscriber. When a website is accessed, the browser on the mobile device checks to see if the website's cookie exists in the cookie folder. If a website cookie exists in the cookie folder, the cookie is sent to the website server, the website server reads the IMEI number of the mobile device from the cookie, looks up the corresponding login name, and returns the web page to the browser to enter the website with with this login. The main disadvantage of this invention is that it is essentially a way to identify the device, not the user. It deals only with identification by identifier or IMEI number of a mobile device and does not include identification by a mobile subscriber number of a digital network with integration of services for communication in GSM, UMTS, etc. (MSISDN) standards or by a unique composite user and device identification key (UCIK ). Also, the disadvantage of this method is that it solves the problem of remembering credentials - the login name and password for authorization, but does not solve the problem of automatic user identification through a mobile operator. Since the cookie is generated by correlating the addresses of different websites with the login name and password of the subscriber, the user must register in advance on all selected websites, which creates inconvenience for the user. Identification of a mobile device using only IMEI and Mobile Subscriber Identity (IMSI) without the participation of a mobile operator is not unambiguous and does not provide secure access to Internet resources. It is not possible to access websites through any ISP.

The closest analogue of the claimed invention is the Method for identifying an online user and his device according to patent RU2740308 with priority dated February 14, 2020. The method includes the initial access of an online user to any online service on the Network, the formation of a unique identifier of the online user and his device based on MSISDN, SUDID and UHSI identifiers using the identification service, including server and client modules, recording a unique identifier in the device storage and on the server, comparing and updating information about the user and his device each time the user re-accesses the online service. The method provides identification of an online user when accessing an online service in various ways: from a website, from a mobile device, using a browser or a special application. The disadvantage of this method is that there is a possibility of erroneously identifying one user as another in the event of accidental or non-random interference by another user, as well as when the user indirectly accesses the mobile network, for example, using an intermediate device that has mobile communication access, in particular, external GSM -modems.

The proposed invention solves the technical problem of eliminating these shortcomings, namely, it eliminates the possibility of erroneously identifying one online user as another with direct and indirect user access to the mobile network and provides reliable identification of the online user when accessing the online service through any data transmission network with any devices.

The technical result of the invention is to increase the reliability of identifying an online user, for example, the owner of a mobile device (phone, smartphone and other devices), on the Web and ensuring the security of access to information resources and payment systems by determining and confirming the Identification Service, for example, established by the operator cellular communication (OSN), a unique identifier of the user and his device each time an online user accesses online services over any data network after the initial identification of an online user in the mobile network of a cellular operator (OSN), by eliminating the risk of interference by an intermediate link , which provides access of the user device to the Internet using a non-secure protocol, and theft and / or modification of the data of the online user and his device by the tools of the one who is an intermediary in indirect access. In addition, the proposed invention allows you to increase the number of those online users who can be identified by directly accessing the primary source by NUDID, UHSI and MSISDN, which stores the most up-to-date links and has this data in cases where it is stored in the server module of the identification service the data is already outdated and will not allow you to determine the correct MSISDN by NUDID.

The technical result is realized through the following steps of the method for identifying an online user and his device using an identification service that includes server and client modules.

A server module is installed on the server, which generates a unique identifier of the online user and his device when the online user accesses the online service from his device via the mobile operator's network or when the application installed on his device is launched. To form a unique identifier, non-falsifiable hardware and subscriber identifiers of the user are used: the number of a mobile subscriber of a digital network with integration of services for communication in GSM, UMTS, etc. (MSISDN), a unique device identifier in the identification service, connected on the server side of the identification service with its own hardware user device identifier (SUDID), and the carrier's unique hardware subscriber identifier (UHSI). Then, a unique identifier of the online user and his device is recorded in the storage on the server and in the storage on the user's device. Next, a client module with identification functionality is added to the executable code of the online service. When re-accessing the online service, information about the user and his device is compared and updated.

A distinctive feature of the method is that when the online user indirectly accesses the mobile network, they additionally check for the presence of a unique composite identification key (UCIK) on the online user's device, check the relevance of the binding of the device's own hardware identifier provided by the device manufacturer and stored on it (NUDID) and numbers of a mobile subscriber of a digital network with integration of services for communication in GSM, UMTS, etc. (MSISDN) standards, namely, the current MSISDN is re-determined, a new NUDID and MSISDN bundle is created on the server module (SM) and updated.

At the same time, on the server module (SM), in the presence of a unique composite identification key (UCIK), on the device of the online user, the first bundle of NUDID and MSISDN (the first bundle) stored during the last access of the online user is determined, NUDID is determined in the primary source of information (for example, , from the mobile operator) the current MSISDN associated with it, receive a new second NUDID and MSISDN bundle, to update the NUDID and MSISDN bundle, the SM sends a command/message (for example, but not limited to, a hidden SMS) to the current MSISDN (from the second bundle), if the update is successful, the SM receives the current pair of NUDID and MSISDN (third link), compares all three links, and if all three links or the second and third match, it is decided that the identification was successful and the updated third NUDID link is sent to the client module (CM) and MSISDN write the updated UCIK to the repository.

If the client module (CM) does not have a unique compound identification key (UCIK), or if the update of the NUDID and MSISDN bundles fails, or if all three bundles and the second and third do not match, the online user is provided with a form for manually entering his MSISDN and then a unique code acknowledgments (UCC) create a temporary UCIK.

It should be said that the current number of a mobile subscriber of a digital network with integration of services for communication in GSM, UMTS, etc. (MSISDN) standards is determined on the Identification Service (IS), which receives data from primary sources of information, for example, a mobile operator (OSS) , by additional identifiers of the user and his device (for example, IMEI, IMSI and MSISDN).

Verification of compliance of hardware and subscriber identifiers of the MSISDN, SUDID and UHSI user is optionally implemented due to the direct connection of the IS, including through the OSS, with the software in the subscriber's electronic identification module, for example, with an applet on the SIM card, which provides the User with a graphical interface, for example , a form window with buttons, to confirm by the User that the bundle of identifiers is correct.

Thus, when an online user indirectly accesses the mobile network, the server module (SM) additionally checks the relevance of the binding of the device’s own hardware identifier provided by the device manufacturer and stored on it (NUDID) and the number of the mobile subscriber of the digital network with the integration of services for communication in standards GSM, UMTS, etc. (MSISDN) and an up-to-date pairing of NUDID and MSISDN user and device identifiers is created, which prevents erroneous identification of an online user, eliminates the risk of interference by an intermediate link that provides a user device with access to the Internet using a non-secure protocol, and theft and / or changes to the data of an online user and his device by the tools of someone who is an intermediary in indirect access. In addition, the proposed invention allows you to increase the number of those online users who can be identified by directly accessing the primary source by NUDID, UHSI and MSISDN, which stores the most up-to-date links and has this data in cases where it is stored in the server module of the identification service the data is already outdated and will not allow you to determine the correct MSISDN by NUDID.

As a result, the security of access to information resources and payment systems is increased. Therefore, the totality of the specified stages of the implementation of the method implements the specified technical result, which consists in increasing the reliability of identifying an online user on the Web and ensuring the security of access to information resources and payment systems.

The invention is carried out as follows:

1. The user accesses the Network by performing any of three actions:

a. opens a browser and requests a page,

i. from a non-affiliate site that is not included in the online user identification service (IS) program and has not placed a client module (CM) on its pages,

ii. from the Partner site, which is part of the Online User Identification Service (IS) program and has placed the client module (CM) on its pages.

b. launches the Application that loads data via WebView (WebView is an operating system component that allows you to embed and view web pages in the Application).

i. from a non-affiliate site without CM,

ii. from Partner site with CM.

c. launches an Application in which a special CM plugin is integrated.

2. When passing data through the mobile network of the mobile operator (CSN), the server module (SM) determines whether the user has direct access to the Network.

a. for Non-Partner Sites without CM via an insecure protocol in a browser or WebView application:

i. The user requests any page from the user device (UD) via SM.

ii. With indirect access, the actions end. In the case of direct access, the transition to the steps described in the further subparagraphs of this paragraph takes place.

iii. SM determines its own hardware device identifier (NUDID), unique hardware user identifier (UHSI) and mobile subscriber digital network number (MSISDN) of the user, generates, if necessary, a unique user identifier in SM (UID), a unique device identifier in SM (SUDID), UCIK and a UCIK (UIKF) imprint. SM adds "on the fly" CM to the user's data stream, updates the UHSI and MSISDN bundle if necessary. The SM sends the UCIK and UIKF to the CM.

iv. UCIK and UIKF are written/updated to the repository.

b. via a secure protocol in a browser or WebView application for Partner Sites with CM:

i. The user loads on UD the page with CM.

ii. With indirect access, an additional check for the presence of UCIK on the UD occurs.

1. If the access is indirect and there is no UCIK, then proceed to the steps when the unique composite user and device identification key (UCIK) is not in the storage when the data is not passing through the mobile network of the OSN (see paragraph 3.b.ii below).

2. If access is indirect but UCIK is present, then go to 3.b.i.2 and the steps that follow.

iii. With direct access, you go to the steps described in the further subparagraphs of this paragraph.

1. The CM requests the UCIK from the SM or passes the UCIK that is already in the store to the SM.

2. SM determines NUDID, UHSI and MSISDN, generates UID, SUDID, UCIK and UIKF if necessary, updates its UHSI and MSISDN binding if necessary, sends UCIK, UIKF and MSISDN (if necessary) in response to CM.

3. CM writes/updates UCIK and UIKF to storage.

4. The online service receives the UIKF or UIKF and MSISDN (as needed) from the CM and/or SM.

c. to pass data through a secure protocol from an Application with an integrated CM:

i. The user starts the Application with integrated CM.

ii. With indirect access, an additional check for the presence of a UCIK on the UD occurs.

1. If access is indirect and there is no UCIK, then proceed to the steps when there is no unique composite user and device identification key (UCIK) in the storage when passing data not through the mobile network of the OSN (see paragraph 3.b.ii below).

2. If access is indirect but UCIK is present, then go to 3.b.i.2 and the steps that follow.

iii. With direct access, you go to the steps described in the further subparagraphs of this paragraph.

1. The CM sends a request to the SM for a UCIK.

2. SM determines NUDID, UHSI and MSISDN, generates UID, SUDID, UCIK and UIKF if necessary, updates its UHSI and MSISDN binding if necessary, sends UCIK, UIKF and MSISDN (if necessary) in response to CM.

3. CM writes/updates UCIK and UIKF to storage.

4. The online service receives the UIKF or UIKF and MSISDN (as needed) from the CM and/or SM.

3. To pass data through a secure protocol not through the OSS mobile network in a browser or WebView application on the page of the Partner site, as well as in the Application with integrated CM.

a. The user opens in the browser a Partner site with CM, a WebView application with page loading with CM, or an Application with integrated CM.

b. The CM checks for the presence of the UCIK in the store and:

i. if UCIK is in storage, then

1. There is a request from CM to SM with UCIK transmission.

2. The SM by UCIK determines the NUDID and MSISDN (first binding) that were registered and stored in the SM when the user's MSISDN was last determined.

3. SM determines the current MSISDN (second link) by NUDID, receiving it from its component located at the primary source of the most up-to-date data on the MSISDN link and NUDID (for example, from a specialized OSS firmware) that tracks this link (in parallel with the main mechanism SM) as a result of the interaction of the UD and the OSN (for example, connecting the user's mobile device to the OSN network)

4. To update the NUDID and MSISDN link, the SM sends a command/message (for example, but not limited to a hidden SMS) to the current MSISDN (from the second link).

a. if the message is delivered, the SM receives the current NUDID and MSISDN pair (third binding) and then proceeds to the next steps (see 3.b.i.5 below).

b. if the command/message is not delivered, it jumps to the steps when the UCIK is not in the store (see 3.b.ii. below).

5. SM compares the old and new NUDID and MSISDN values in three bundles, after which three scenarios are possible:

a. if all three NUDID and MSISDN bundles match, then

i. The SM returns the successful identification status to the CM.

ii. The CM writes/updates (as needed) the UCIK and UIKF to the repository.

b. if only the second and third bundles coincide, then

i. The SM generates new SUDID, UID, UCIK and UIKF as needed, updates its UHSI and MSISDN binding as needed, returns to the CM a new UCIK, UIKF, MSISDN (if needed) and a successful identification status.

ii. CM writes/updates UCIK and UIKF to storage.

c. In all other cases of linkage matching, there is a transition to steps when the UCIK is not in the repository (see paragraph 3.b.ii. below)

6. Optionally, to improve the reliability of user identification, SM sends a special command to the user's SIM card, upon receipt of which, the SIM card displays a manual confirmation window on the device screen.

7. The online service receives the UIKF or UIKF and MSISDN (as needed) from the CM and/or SM.

ii. if there is no UCIK in the repository, then:

1. CM shows the MSISDN user input form, the user sends his MSISDN through the form to the SM, as a result of which the form changes and shows the UCC (Unique Confirmation Code) input field.

2. The SM generates and sends UCC to the UD, including but not limited to SMS, notifications to the Application, a message to the SIM card applet, or messages to the messenger.

3. The user enters in the form of the UCC, which the CM sends to the SM.

4. SM checks the validity of the UCC, and if it is valid, returns a response to the CM with the code validity status, generates, if necessary, a UID, SUDID, a one-time UCIK and a one-time UIKF, and sends to the CM only a one-time UIKF and MSISDN (if necessary) of the user indicating for CM does not write UIKF to storage. The user is identified by his MSISDN for the duration of the session.

5. The online service receives a one-time UIKF and MSISDN (as needed) from the CM and/or SM.

The scheme of the method for identifying an online user and his device is shown in Fig.1

1. Example 1.

The method for identifying an online user and his device when a user requests a Non-Partner Site (NPtS) with direct access (with indirect access, no actions are performed) via the mobile network of the Cellular Operator (OSS) using an insecure protocol from a browser or WebView application is carried out in the following sequence according to the scheme in Fig.1:

a. A request from a browser or WebView application (WebView is an operating system component that allows you to embed and view web pages in the Application) on a User's Device (UD) to an NPtS that is not part of the Identity Service (IS) program and has not hosted on the Client Module (CM) pages through the Server Module (SM), including, but not limited to, through proxy, DPI and caching technologies.

b. Transmission of a page request from SM to the Online Service.

c. Receiving a page in any technical form, including but not limited to IP packets, html code, etc., in SM from the Online Service.

d. SM determines its own hardware device identifier (NUDID), unique hardware user identifier (UHSI) and mobile subscriber digital network number (MSISDN) of the user, generates, if necessary, a unique user identifier in SM (UID), a unique device identifier in SM (SUDID), UCIK and a UCIK (UIKF) imprint. SM adds "on the fly" CM to the user's data stream, updates the UHSI and MSISDN bundle if necessary. The SM passes the UCIK and UIKF to the CM, which writes/updates them to the store.

Thus, the identification of the online user and his device when accessing the Non-Partner Site was made with absolute accuracy, thanks to the comparison and confirmation of the unique identifier of the user and his device using the server and client modules, which ensures secure access to information resources.

2. Example 2.

The method for identifying an online user and his device when a user requests a Partner (PtS) site with direct access (with indirect access, see Example 4) via the Operator's mobile network using a secure protocol from a browser or WebView application is carried out in the following sequence according to the diagram in Fig. one:

a. Request to the Partner site from a browser/WebView application to get the page on the UD.

b. Receipt in the UD of a page from the Online Service.

c. Request to get CM from page to SM.

d. Loading CM into a page from SM.

e. Request from CM to SM for UCIK.

f. SM determines NUDID, UHSI and MSISDN, generates UID, SUDID, UCIK and UIKF if necessary, updates its UHSI and MSISDN bundle if necessary, sends UCIK, UIKF and MSISDN (if necessary) in response to CM. CM writes/updates UCIK and UIKF to storage.

g. The online service receives the UCIK or UIKF and MSISDN (as needed) from the CM.

Thus, the identification of the online user and his device when accessing the Partner site was made with absolute accuracy, thanks to the comparison and confirmation of the unique identifier of the user and his device using the server and client modules, which ensures secure access to information resources.

3. Example 3.

The method for identifying an online user and his device when a user requests any Online Service with direct access (with indirect access, see Example 5) via the Operator's mobile network using a secure protocol from an Application with a built-in Client Module is carried out in the following sequence according to the diagram in Fig.1 :

a. Request from CM to SM for UCIK.

b. SM determines NUDID, UHSI and MSISDN, generates UID, SUDID, UCIK and UIKF if necessary, updates its UHSI and MSISDN bundle if necessary, sends UCIK, UIKF and MSISDN (if necessary) in response to CM. CM writes/updates UCIK and UIKF to storage.

c. The online service receives the UCIK or UIKF and MSISDN (as needed) from the CM.

Thus, the identification of the online user and his device when accessing the Online Service via the Operator's mobile network using a secure protocol from an application with a built-in Client Module was made with absolute accuracy, thanks to the comparison and confirmation of the unique identifier of the user and his device using the server and client modules, which provides secure access to information resources.

4. Example 4.

The method for identifying an online user and his device when a user requests from a browser or a WebView application to the Partner site via a secure protocol and not via the mobile OSS network, with the UCIK present in the storage and successful automatic verification of the MSISDN of the online user through a command/message, is carried out in the following sequence according to the scheme in Fig.1:

a. Request to the Partner site from a browser/WebView application to get the page on the UD.

b. Receipt in the UD of a page from the Online Service.

c. Request to get CM from page to SM.

d. Loading CM into a page from SM.

e. Request from CM to SM passing UCIK from storage.

f. The SM by UCIK determines the NUDID and MSISDN (first binding) that were registered and stored in the SM when the user's MSISDN was last determined. SM determines the current MSISDN (second link) by NUDID, receiving it from its component, located at the primary source of the most up-to-date data on the MSISDN and NUDID link (for example, from a specialized OSS firmware). The SM sends the command/message as a hidden SMS to the current MSISDN (from the second bundle).

g. The device informs the SM that it has received a command/message. The SM receives the current pair of NUDID and MSISDN (third pair).

h. SM compares the old and new NUDID and MSISDN values in three bundles, after which three scenarios are possible:

i. if all three NUDID and MSISDN bindings match, then the SM returns a successful identification status to the CM, which writes/updates (as needed) the UCIK and UIKF to the store.

ii. if only the second and third bindings match, then the SM generates new SUDID, UID, UCIK and UIKF if necessary, updates its UHSI and MSISDN binding if necessary, returns to the CM a new UCIK, UIKF, MSISDN (if necessary) and the status of successful identification. CM writes/updates UCIK and UIKF to storage.

iii. In all other cases of copula matching, a transition occurs to steps when there is no UCIK in the repository.

i. Optionally, to improve the reliability of user identification, SM sends a special command to the user's SIM card, upon receipt of which, the SIM card displays a manual confirmation window on the device screen.

j. The online service receives the UCIK or UIKF and MSISDN (as needed) from the CM.

Thus, the identification of an online user and his device when accessing the Partner Site when the user requests from a browser or WebView application to the Partner Site via a secure protocol and not over a mobile network OCC with the UCIK present in the storage was made with absolute accuracy due to comparison and confirmation three bundles of unique identifiers of the user and his device NUDID and MSISDN using the server and client modules, which provides secure access to information resources.

5. Example 5.

The method of identifying an online user and his device when a user requests from an Application with a built-in Client Module to an Online Service via a secure protocol and not via the Operator’s mobile network, with the UCIK present in the storage and successful automatic verification of the online user’s MSISDN through a command/message, is carried out in the following sequence according to the diagram in Fig.1:

a. Request from CM to SM passing UCIK from storage.

b. The SM by UCIK determines the NUDID and MSISDN (first binding) that were registered and stored in the SM when the user's MSISDN was last determined. SM determines the current MSISDN (second link) by NUDID, receiving it from its component, located at the primary source of the most up-to-date data on the MSISDN and NUDID link (for example, from a specialized OSS firmware). The SM sends a command/message, such as but not limited to a hidden SMS, to the current MSISDN (from the second bundle).

c. The device informs the SM that it has received a command/message. The SM receives the current pair of NUDID and MSISDN (third pair).

d. SM compares the old and new NUDID and MSISDN values in three bundles, after which three scenarios are possible:

i. if all three NUDID and MSISDN bindings match, then the SM returns a successful identification status to the CM, which writes/updates (as needed) the UCIK and UIKF to the store.

ii. if only the second and third bindings match, then the SM generates new SUDID, UID, UCIK and UIKF if necessary, updates its UHSI and MSISDN binding if necessary, returns to the CM a new UCIK, UIKF, MSISDN (if necessary) and the status of successful identification. CM writes/updates UCIK and UIKF to storage.

iii. In all other cases of copula matching, a transition occurs to steps when there is no UCIK in the repository.

e. Optionally, to improve the reliability of user identification, SM sends a special command to the user's SIM card, upon receipt of which, the SIM card displays a manual confirmation window on the device screen.

f. The online service receives the UCIK or UIKF and MSISDN (as needed) from the CM.

Thus, the identification of the online user and his device when accessing the Online Service when the user requests from the Application with the built-in Client Module to the Online Service via a secure protocol and not via the mobile OSS network with the UCIK present in the storage and successful automatic verification of MSISDN online user via command/message has been made with absolute accuracy, by comparing and validating the three bindings of the user's unique identifiers and his NUDID and MSISDN device using the server and client modules, which ensures secure access to information resources.

6. Example 6.

A method for identifying an online user and his device when a user requests from a browser or a WebView application to a Partner site via a secure protocol and not via the mobile OSS network in the absence of a UCIK in the UD and / or the impossibility of automatic MSISDN verification - with manual verification of the online user's MSISDN - carried out in the following sequence according to the scheme in Fig.1:

a. Request to the Partner site from a browser/WebView application to get the page on the UD.

b. Receipt in the UD of a page from the Online Service.

c. Request to get CM from page to SM.

d. Loading CM into a page from SM.

e. Request to SM from CM from Partner Site page in browser/WebView application to get a form with MSISDN entry field.

f. Receiving on UD from SM a form with a field for entering MSISDN.

g. Passing MSISDN via form from UD to SM. Changing the form to show a UCC (Unique Confirmation Code) input field.

h. Generating a confirmation code in SM and sending it to UD (including, but not limited to, via SMS, notification in the Application, a message to the SIM card applet or a message to a messenger).

i. Transfer UCC (by user input or automatic reading from CM) to SM.

j. The SM checks the validity of the UCC, and if it is valid, returns a response to the CM with the code validity status, generates a UID, SUDID, a one-time UCIK, and a one-time UIKF as necessary, and sends only the one-time user UIKF to the CM with instructions for the CM not to write the UIKF to the repository. The user is identified by his MSISDN for the duration of the session.

k. The online service receives a one-time UIKF and MSISDN (as needed) from the CM.

Thus, the identification of the online user and his device when accessing the Partner Site via a secure protocol and not via the OSS mobile network with manual MSISDN verification of the online user was made with absolute accuracy, thanks to the comparison and confirmation of the unique identifier of the user and his device using the server and client modules, which provides secure access to information resources.

7. Example 7.

A method for identifying an online user and his device when a user requests from an Application with a built-in Client Module to an Online Service using a secure protocol and not via the mobile network of the OSS in the absence of a UCIK in the UD and / or the impossibility of automatic verification of MSISDN - with manual verification of the MSISDN of the online user - carried out in the following sequence according to the scheme in Fig.1:

a. Request to SM from Embedded CM Application to get a form with MSISDN input field.

b. Receiving on UD from SM a form with a field for entering MSISDN.

c. Passing MSISDN via form from UD to SM. Changing the form to show a UCC (Unique Confirmation Code) input field.

d. Generating a confirmation code in SM and sending it to UD (including, but not limited to, via SMS, notification in the Application, a message to the SIM card applet or a message to a messenger).

e. Transfer UCC (by user input or automatic reading from CM) to SM.

f. The SM checks the validity of the UCC, and if it is valid, returns a response to the CM with the code validity status, generates a UID, SUDID, a one-time UCIK, and a one-time UIKF as necessary, and sends only the one-time user UIKF to the CM with instructions for the CM not to write the UIKF to the repository. The user is identified by his MSISDN for the duration of the session.

g. The online service receives a one-time UIKF and MSISDN (as needed) from the CM.

Thus, the identification of the online user and his device when accessing the Online Service via a secure protocol and not via the OSS mobile network with manual verification of the MSISDN of the online user was made with absolute accuracy, thanks to the comparison and confirmation of the unique identifier of the user and his device using server and client modules, which provides secure access to information resources.

Claims (7)

1. A method for identifying an online user and his device, including installing a server module (SM) on the server, which generates a unique identifier for the online user and his device based on non-falsifiable hardware and subscriber identifiers of the user - the number of a mobile subscriber of a digital network with integration of services for connection (MSISDN), its own hardware device identifier (NUDID) and a unique hardware user identifier (UHSI), when an online user first accesses an online service on the Network from his device via a mobile operator’s network, recording a unique online user identifier and his devices in the storage on the server and in the storage on the user's device, adding a client module (CM) with identification functionality to the executable code of the online service; identification of the user and his device when re-accessing an online service that requires identification of an online user on the Web, using the server and client modules, namely, checking the current identifier of the online user and his device with the identifier stored on the server, characterized in that that when an online user indirectly accesses the mobile network after adding a client module with identification functionality to the executable code of the online service, the client module checks for the presence of a unique composite identification key (UCIK) on the online user's device, the server module checks the relevance of the binding of the device's own hardware identifier provided by the manufacturer of the device and stored on it (NUDID) and the mobile subscriber number of a digital network with integration of services for communication (MSISDN), namely, the current MSISDN is re-determined, a new NUDID and MSISDN bundle is created on the server module (SM) and updated. 2. The method according to claim 1, characterized in that if the online user's device has a unique composite identification key (UCIK), the server module (SM) determines the first NUDID and MSISDN binding saved during the last access of the online user (first binding) , by NUDID, the current MSISDN associated with it is determined in the primary source of information (for example, from a mobile operator), a new second NUDID and MSISDN bundle is obtained, to update the NUDID and MSISDN bundle, a command/message is sent to the SM (for example, but not limited to, a hidden SMS) to the current MSISDN (from the second bundle), upon successful completion of the update, the SM receives the current third bundle of NUDID and MSISDN, all three bundles are compared, and if all three bundles match, it is decided that the identification was successful, and the status of successful identification is returned to the CM, which writes/updates (as needed) the UCIK and the UCIK Unique Composite Identification Key (UIKF) fingerprint in the store. 3. The method according to claim 1, characterized in that if the online user's device has a unique composite identification key (UCIK), the server module (SM) determines the first bundle of NUDID and MSISDN stored during the last access of the online user, NUDID determines in the primary source of information (for example, from a mobile operator) the current MSISDN associated with it, receive a second bundle of NUDID and MSISDN, to update the bundle of NUDID and MSISDN with SM sends a command/message (for example, but not limited to, a hidden SMS) to the current MSISDN (from the second bundle), upon successful completion of the update, the SM receives the current third NUDID and MSISDN bundle, compares all three bundles, and if the second and third bundles match, it is decided that the identification was successful, and the updated third NUDID bundle is sent to the client module (CM) and MSISDN write the updated UCIK and UIKF to the repository. 4. The method according to claim 1, characterized in that if the online user's device has a unique composite identification key (UCIK), the server module (SM) determines the first binding of NUDID and MSISDN stored during the last access of the online user, NUDID determines in the primary source of information (for example, from a mobile operator) the current MSISDN associated with it, receive a new second NUDID and MSISDN bundle, to update the NUDID and MSISDN bundle with the SM, send a command/message (for example, but not limited to, a hidden SMS) to the current MSISDN (from the second bundle), upon successful completion of the update, the SM receives the current third bundle of NUDID and MSISDN, compares all three bundles and, if all three bundles and the second and third bundles do not match, provide the online user with a form for manually entering their MSISDN and then a unique confirmation code (UCC) create a temporary UCIK. 5. The method according to claim 1, characterized in that if there is a unique composite identification key (UCIK) on the device of the online user, the server module (SM) determines the first bundle of NUDID and MSISDN stored during the last access of the online user, NUDID determines in the primary source of information (for example, from a mobile operator) the current MSISDN associated with it, receive a new second NUDID and MSISDN bundle, to update the NUDID and MSISDN bundle with the SM, send a command/message (for example, but not limited to, a hidden SMS) to the current MSISDN (from the second bundle), if the update is unsuccessful, provide the online user with a form for manually entering their MSISDN and then a unique confirmation code (UCC), create a temporary UCIK. 6. The method according to claim 1, characterized in that in the absence of a unique compound identification key (UCIK) on the online user's device, the online user is provided with a form for manually entering his MSISDN and then a unique confirmation code (UCC), a temporary UCIK is created. 7. The method according to claim 1, characterized in that when accessing the Online Service and correctly identifying the online user, the latter is provided with a form to confirm his identity in manual mode to increase confidence in the identification mechanism.

Images