[go: up one dir, main page]

WO2009101549A2 - Method and mobile device for registering and authenticating a user at a service provider - Google Patents

Method and mobile device for registering and authenticating a user at a service provider Download PDF

Info

Publication number
WO2009101549A2
WO2009101549A2 PCT/IB2009/050459 IB2009050459W WO2009101549A2 WO 2009101549 A2 WO2009101549 A2 WO 2009101549A2 IB 2009050459 W IB2009050459 W IB 2009050459W WO 2009101549 A2 WO2009101549 A2 WO 2009101549A2
Authority
WO
WIPO (PCT)
Prior art keywords
service provider
mobile device
user
digital identity
challenge
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/IB2009/050459
Other languages
French (fr)
Other versions
WO2009101549A3 (en
Inventor
Alberto Gasparini
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Publication of WO2009101549A2 publication Critical patent/WO2009101549A2/en
Publication of WO2009101549A3 publication Critical patent/WO2009101549A3/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels

Definitions

  • Object of the present invention is to devise and make available to the user a registration and authentication method that solve the above mentioned inconveniences with respect to the known techniques therefore satisfying the said need for security and privacy of user personal data.
  • the present invention provides a mechanism for effective and secure user registration and authentication by means of a mobile device, such as a personal digital assistant or a mobile phone.
  • a mobile device such as a personal digital assistant or a mobile phone.
  • This invention also provides a related mechanism for creating, storing and managing digital identities in the same mobile device.
  • the invention can be realized by any combination of software, firmware and hardware modules installed or embedded on a mobile device.
  • the registration method of a user with a service provider includes the following steps: [0013] - creating and storing on a mobile device at least one digital identity;
  • [0014] - establishing a communication between the mobile device and the service provider; [0015] - exchanging specific information between the mobile device and the service provider in order to generate some secret information uniquely associated to the chosen user digital identity and to the service provider; [0016] -• storing the said generated secret information on the mobile device and at the service provider.
  • the registration method includes the following steps: [0018] - supplying to the mobile device some information related to and identifying the service provider; [0019] - generating through the mobile device some secret data uniquely associated to a chosen user digital identity and to the above-mentioned service provider; [0020] - sending to the service provider the generated secret data together with the username or other identifying information related to the chosen user digital identity; and
  • the service provider information is delivered to the mobile device through a page of the service site (e.g. web page).
  • the service provider delivers to the user an address or a reference to an address where the user can download the service provider information. This address or reference to it is delivered in an encoded form through a page of the service site and it is read and decoded from the mobile device.
  • the mobile device is equipped with a camera and the terminal through which the user is accessing the service has a graphical user interface (i.e. a screen and the ability to show characters as well as images on .it) .
  • the service provider prompts for user registration displaying on the terminal screen an image (i.e. typically a 2D-barcode image) encoding some identifying data (e.g. service provider domain name).
  • the user takes a picture of the image with his mobile device's camera.
  • the mobile device decodes the acquired image, it extracts and saves contained data and shows the list of user digital identities available for the registration: the user selects the appropriate digital identity to be registered with the service provider being accessed. If the service provider being accessed and the user mobile device can communicate through some kind of network (e.g. internet), the mobile device sends the selected digital identity and some related secure material (e.g. PKI certificate, username and password) directly to service provider. Otherwise the mobile device displays the secure material or part of it on its screen: the user types the data shown on mobile device display onto the terminal and completes registration.
  • some kind of network e.g. internet
  • the authentication method of a user with a service provider which he has registered through the above mentioned registration method includes the following steps:
  • [0026] -generating, by the service provider side, a challenge that contains enough information for the user to identify the service provider and/or to generate a secure response that uniquely identify the user; • [0027] - encoding the challenge; [0028] - delivering the encoded challenge to the user; [0029] - the user acquiring the challenge with his mobile device;
  • the challenge contains a service provider identifier; the mobile device extracts from the challenge this identifier and ⁇ automatically selects the user digital identity registered with that service provider.
  • the service provider prompts for user authentication displaying on the terminal screen an image (i.e. typically a 2D-barcode image) that encodes some newly generated data known as "challenge".
  • an image i.e. typically a 2D-barcode image
  • the user takes a picture of the image with his mobile device's camera.
  • the mobile device decodes the acquired image extracting contained data: from such data it identifies which service provider is prompting for authentication among those already known and stored on the mobile device. It then retrieves the user digital identity registered with that service provider.
  • the mobile device uses the challenge and/or the secure material associated with the retrieved digital identity to generate a secure response. If the service provider being accessed and the user mobile device can communicate through some kind of network (e.g.
  • the mobile device sends back the secure response directly to the service provider. Otherwise, the mobile device displays the secure response or part of it on its screen: the user types the data displayed on the mobile device onto the terminal and completes the authentication.
  • the mobile device and the terminal are NFC devices, i.e. they are connected to or equipped with an NFC module. If the mobile device is a passive NFC device, then the terminal should be an active NFC device; if the mobile device is an active NFC device, then the terminal should be a passive NFC device. This way an NFC channel exists between the terminal and the mobile device.
  • the service provider prompts for user registration sending its identity data (e.g.
  • the service provider domain name When prompted for registration from the terminal, the user brings the mobile device near it in order to establish the NFC channel and the communication to take place.
  • the mobile device receives, decodes and stores the servi'ce provider data and shows the list of user digital identities available for the registration: the user selects the appropriate digital identity to be registered. If the service provider being accessed and the user mobile device can communicate through some kind of network (e.g. internet), the mobile device sends back the selected digital identity and some related secure material (e.g. PKI certificate, username and password) directly to the service provider: it sends the data either through the NFC channel and/or through any other supported communication channel (e.g. http connection) that can reach the service provider.
  • some kind of network e.g. internet
  • the mobile device displays the secure material or part of it on its screen: the user types the data shown on mobile device display onto the terminal and completes registration.
  • the service provider prompts- for user authentication sending the "challenge" to the terminal and from it to the mobile device through the existing NFC connection.
  • the user brings the mobile device near it in order to establish the NFC channel and the communication to take place.
  • the mobile device receives and decodes the data: from this data it identifies which service provider is prompting for authentication among those already known and stored on the mobile device.
  • the mobile device retrieves the user digital identity registered with that service provider and it uses the challenge and/or the secure material associated with the retrieved user digital identity to generate a secure response. If the service provider being accessed and the user mobile device can communicate through some kind of network (e.g. internet), the mobile device sends back the secure response directly to the service provider. Otherwise, the mobile device displays the secure response or part of it on its screen: the user types the data shown on mobile device display onto the terminal and completes authentication. [0037]
  • the user digital identities stored on the mobile device may be protected by a password or a PIN.
  • the communications between the mobile device and terminal may be encrypted to prevent snooping.
  • the invention provides also a mechanism to manage user digital identities that is to create and store on the mobile device a new digital identity or to certify, modify or delete an existing one.
  • the user can create a new digital identity typing directly on the mobile device the data of the identity.
  • the user can create a digital identity elsewhere (e.g. terminal) and send it to the mobile device through some kind of communication channel supported by the device (e.g. Bluetooth) .
  • the user can also modify an existing digital identity in the same way.
  • the mobile device may in turn send the modified version to all the service providers the modified digital identity is registered with.
  • the user can delete an existing digital identity.
  • the mobile device may in turn inform of the -deletion all the service providers the deleted digital identity is registered with.
  • the mobile device creates a PKI certificate signing request (i.e. CSR) based on the data of the identity, sends it to some certification authority through some kind of communication channel supported by the device (e.g. SMS), receives the related certificate and stores it associated to the digital identity whose data was used to create it.
  • CSR PKI certificate signing request
  • SMS some kind of communication channel supported by the device
  • FIG. 1 is a schematic illustration of an exemplary system architecture to implement the registration/authentication method in accordance with the present invention
  • FIG. 1 is a block diagram of an exemplary mobile device in accordance with the present invention
  • FIG. 1 illustrates a pictorial representation of the system architecture shown in Figure 1
  • Figure 4 illustrates a pictorial representation of an exemplary system architecture in accordance with an alternative embodiment of the present invention
  • FIG. 5 illustrates an exemplary flow diagram of an exemplary simple registration process in accordance with the present invention
  • FIG. 6 illustrates an exemplary flow diagram of an exemplary certified registration process in accordance with the present invention
  • FIG. 7 illustrates an exemplary flow diagram of an exemplary authentication process in accordance with the present invention
  • FIG. 8 is a schematic illustration of an exemplary system architecture to implement the registration/authentication method in accordance with an alternative embodiment of the present invention
  • FIG. 9 is a schematic illustration of another exemplary system architecture to implement the registration/authentication in accordance with an alternative embodiment of the present invention
  • FIG. 10 illustrates a pictorial representation of the system architecture shown in Figure 9
  • FIG. 11 illustrates a pictorial representation of another exemplary system architecture in accordance with an alternative embodiment of the present invention
  • FIG. 12 is a schematic illustration of another exemplary system architecture to implement the registration/authentication method in accordance with an alternative embodiment of the present invention
  • FIG. 13-18 are example screens of display of the mobile device illustrating the user interface windows for the identity management and the registration and authentication processes in accordance with the present invention.
  • the present invention will be described herein in terms of functional block components, screen shots, J optional selections and various processing steps.
  • Such functional blocks may be realized by any number of hardware, firmware and/or software components configured to perform the specified functions.
  • the present invention may employ various integrated circuit components, e.g. memory elements, processing elements, logic elements, look up tables and similar, which may carry out a variety of functions under the control of one or more microprocessors or other control devices.
  • the software components of the present invention may be implemented by any programming and/or scripting language such as C, C++, Java, Perl, JavaScript, extensible markup language (i.e.
  • Protocol is a generic sequence of operations, processing and/or communication steps as well as the data structures and codes involved in those operations and/or steps.
  • a well known example of protocol is the Hypertext Transfer Protocol (i.e. HTTP) which is one of the protocols which Internet is based on.
  • Network is a generic set of electronic devices and/or computers' connected together, including the connections and communication protocols between them. The connections may include wire, wireless communication links, fiber optic cables and the like.
  • a well known example of network is Internet. Unless noted, this invention does not restrict to, or prescribe, any particular type of network.
  • Terminal is a generic electronic device having a user interface (e.g. personal computer) through which a person can access and use a service, an application and/or content. Unless noted, this invention does not restrict to, or prescribe, any particular type of terminal .
  • Service a generic service, application and/or content that can be accessed and used through some functioning terminal. Unless noted, this invention does not restrict to, or prescribe, any particular type of service .
  • Service provider is any subject that supplies a service (e.g. a bank, which supplies an online banking service) .
  • the service provider may be the terminal itself (e.g. a computer, which provides access to a specific content stored on it) .
  • this invention does not restrict to, or prescribe, any particular type of service provider.
  • User is any subject that accesses and uses a service trough some functioning terminal.
  • Service site is the user interface of a service through which a user can access and use the service (e.g. a web site for an online service, an ATM user interface) . Unless noted, this invention does not restrict to, or prescribe, any particular type of service site.
  • Digital identity is a set of data that in some context describes and uniquely identifies a subject. A subject is, for example, a user or a service provider. A subject can have one or more digital identities; any digital identity refers to one and only one subject.
  • Identity card a generic representation of a digital identity data according to some predefined format (e.g. VCard format) . Unless noted, this invention does not restrict to or prescribe any particular format.
  • User account is a set of user personal data that are stored and used by a service provider to describe and uniquely identify a user. Typically a user account reflects the digital identity that the user registered with the service provider.
  • Registration is the process of enrollment of a subject (e.g. a person) in the service user group of the service that the subject wants to access and use.
  • the registration usually requires a subject to supply his identifying data (e.g. first name, last name, e-mail) to the service provider and typically ends with the creation of a related user account. If the process completes successfully the subject who has applied for registration becomes a registered user of the service.
  • Authentication also known as "log in” process, is the process through which the service provider recognizes a subject as being one of the legitimate registered users of the service it provides. If the process completes successfully the subject, i.e. the user, is allowed to access and use the service.
  • the authentication typically entails a subject to provide service provider with enough information (e.g. username and password) to recognize him as a legitimate user with some degree of certainty. The safer is the authentication process, the higher is the degree of certainty.
  • Server is a set of one or more electronic devices through which the service provider supplies its service. Unless noted, this invention does not restrict to, or prescribe, any particular type or number of servers.
  • Digital certificate is a set of data that binds a PKI public key to a digital identity in a secure and unique way. An example of digital certificate is an X509 certificate, commonly used on Internet to certify the user and service provider identity. Unless noted, this invention does not restrict to, or prescribe, any particular type of certificate.
  • NFC is a short-range, wireless, contactless communication technique that allows communications to take place between devices which either touch or are momentarily held close together. The technology works via magnetic field induction and operates on an unlicensed radio frequency band. NFC enables devices to share information either in one direction or both. NFC is an open platform technology based on Radio Frequency Identification technology and is an approved ISO standard (ISO/IEC 18092 and 21481) .
  • Figure 1 is a schematic illustration of the devices involved in the registration and authentication of a user with a service provider, in accordance with a preferred embodiment of the invention.
  • the user has a mobile device 10, preferably equipped with a camera 12 and connected to a service provider 14 through a network B.
  • a terminal 16 is connected through the network A.
  • the terminal 16 may be for example a personal computer or an ATM.
  • the service provider 14 is represented by its own server 15 connected to the terminal 16 and to the mobile device 10 through the networks A and B.
  • the server 15 provides a service such as, for example, an on-line banking service, an e-commerce service or the access to some kind of qualified content.
  • the network A that connects the terminal 16 to the service provider 14 may be different from the network B that connects the mobile device 10 to the service provider 14.
  • the user accesses and uses the service supplied by the service provider 14 through the terminal 16.
  • the mobile device 10 includes a registration module 20, an authentication module 22, an identity management module 24 and a permanent memory 26 to store the user digital identities.
  • the registration module 20 and the authentication module 22 manage respectively the registration and the authentication process as explained in the following paragraphs.
  • the identity management module 24 manages the creation, modification, deletion and any other operation related to user's and service provider's digital identities stored on the mobile device.
  • the identity management module 24 enables the user to create on his mobile phone one or more digital identities.
  • Created identities appear as a set of digital identity cards. Each card carries a number of standard fields (as defined by some standard, e.g. vCard) dedicated to personal data and a small set of private field that stores information about secrets and digital certificates associated to the identity.
  • Each user digital identity is associated with the list of service providers it is registered with. Each digital identity resides in the permanent storage 26 of the mobile device.
  • Each user digital identity can be certified by a service provider or by a trusted third party authority, as described in the following paragraphs .
  • the modules that implement the invention may be integrated with all or part of the other hardware (e.g. camera, NFC element), software (e.g. web browser) or firmware components of the mobile device 10.
  • the Figure 3 shows a pictorial representation of an embodiment of the invention in which the terminal 16 has a screen 30 and a graphical user interface (i.e. GUI, which is a user interface that is able to show not only characters but also images) .
  • the mobile device 10 may be, for example, a mobile phone, a handheld computer or a personal digital assistant (i.e. PDA).
  • PDA personal digital assistant
  • the mobile device 10 is equipped with a camera 12 and carries the user digital identities.
  • the terminal and the mobile device are connected through some kind of network A, B (e.g. Internet) to the server 15 of the service provider 14.
  • the Figure 4 shows an alternative embodiment of the invention, in which the mobile device 10 is not directly connected to the service provider 14.
  • transmission of data needed for the registration and authentication processes from the service provider 14 to the mobile device 10 takes place through images 40 displayed on the service site 38 on the terminal 16 and acquired by the mobile device 10 through its camera 12.
  • the mobile device 10 displays the data to be sent to the service provider 14 on its screen: data are effectively sent to the service provider 14 when the user types them on the service site shown on the terminal and submits them to the service provider.
  • Lack of connection between the mobile device 10 and the service provider 14 may happen' for several reasons: the mobile device could be offline (i.e.
  • the flowchart of Figure 5 shows the operations of the mobile device during the registration process in accordance with the preferred embodiment of the present invention.
  • the service provider 14 prompts for user registration displaying on the service site 38 on the screen 30 of the terminal 16 an image 40 (i.e. a 2D- barcode image) that encodes the service provider identifying data or a reference to them.
  • the registration process starts when the prospective user takes a picture of the image 40 shown on the screen 30 of the terminal 16 using the camera 12 of his mobile device 10 (step 100) .
  • the mobile device 10 acquires the image: the registration module 20 on the device 10 receives and decodes the acquired image, extracting the service provider data (step 102) .
  • a check is made in order to establish if a reference to service provider identifying data is received (step 104) .
  • This reference may be, for example, a URL or a URI (URL, i.e. Universal Resource Locator; URI, i.e. Universal Resource Identifier) pointing to the Internet location where to download the data from.
  • the registration module resolves the reference accessing the network (step 106) and downloading the data using the given URL or URI (step 108) . If a reference is not received, data fully describing and identifying the service provider are received.
  • the mobile device 10 shows the service provider data on the screen for the user review and acceptance (step 110) .
  • a check is made (step 112) in order to establish if the received service provider data are trustworthy according to some trust criterion (e.g. they are signed with a valid and trusted key) . If data are not deemed trustworthy they are discarded and the registration process ends (step 114).
  • the registration module 20 collaborating with the identity management module 24, retrieves the user digital identities stored on the mobile devices and available for registration: the mobile device displays the list of available user digital identities on its screen (step 116) .
  • the user selects the identity to be registered with the service provider (step 118) .
  • the registration module 20 receives the choice of the user and generates some secure and secret material (e.g. secret key) associated to the selected digital identity (step 120) .
  • a check is made as to whether the mobile device is directly connected to the service provider. If the mobile device is connected to the service provider through some kind of network or connection, the registration module sends the selected user digital identity data and the associated secure material to the service provider (step 122).
  • the mobile device If the mobile device is not connected to the service provider, it shows on its screen the user digital identity data and/or the associated secure material or part of it, leaving to the user the task to type the information in the registration form of the service site shown on the terminal (step 124).
  • the registration module 20, collaborating with identity management module 24, creates a new digital identity for the service provider which the user has registered with and stores it in the device permanent storage, associating it to the user digital identity used in the registration (step 126) . This ends the registration process.
  • the registration module 20 receives the choice of the user ⁇ and generates a couple of asymmetric keys (i.e. PKI keys) (step 220) . It also generates a PKI certificate signing request (i.e. CSR) based on the public key just created and the data of the selected user digital identity. The CSR and the keys are associated to the selected user digital identity (step 222) . The registration module 20 sends the CSR and the related user digital identity data to the service provider 14 (step 224) .
  • asymmetric keys i.e. PKI keys
  • CSR PKI certificate signing request
  • the registration module 20 Based on the service provider data the registration module 20, collaborating with identity management module 24, also creates a new digital identity for the service provider which the user is registering with and stores it in the permanent storage of the mobile device (step 226) .
  • the service provider (or some other certification authority which the CSR is forwarded to) receives the CSR and, based on it, produces a valid public key certificate that it sends back to the mobile device (step 228) .
  • a flowchart is shown illustrating the operations of the mobile device 10 during the authentication process in accordance with one embodiment of the present invention.
  • the service provider 14 prompts for user authentication displaying on the screen 30 of the terminal 16 an image (i.e. a 2D-barcode image) that encodes some newly generated unique data called "challenge".
  • the challenge may include, for example, the service provider unique identifier and/or a randomly generated unique number (e.g. nonce) and/or a digital signature: in general, it contains enough information to indentify the service provider and/or to create a secure response that can identify the user with certainty.
  • the authentication process starts when the prospective user takes a picture of the image shown on the terminal screen using his mobile device camera (step 300).
  • the mobile device 10 acquires the image: the authentication module 22 on the device 10 receives and decodes the acquired image, extracts the encoded data and verifies their authenticity and integrity (e.g. verifying its signature) . From the same data the authentication module 22 extracts the challenge (step 302) and checks whether it contains enough information to identify the service provider among the providers already known and stored on the mobile device (step 304) . If it does not contain enough information to determine the service provider, the mobile device shows the list of stored service providers on its display (step 306) leaving to the user the task of choosing the service provider with which he is authenticating (step 307) . If it contains enough information to determine the service provider, the authentication module 22 automatically identifies the service provider among those stored on the device.
  • the authentication module 22 receives and decodes the acquired image, extracts the encoded data and verifies their authenticity and integrity (e.g. verifying its signature) . From the same data the authentication module 22 extracts the challenge (step 302) and checks whether it contains enough information to identify the service provider among the providers already known
  • the authentication module 22, collaborating with the identity management module 24, retrieves from permanent storage 26 the user digital identity registered with the given service provider (step 308). Based on the challenge and secure material associated to the retrieved user digital identity, the authentication module 22 generates a secure response (step 310).
  • the secure response may contain, for example, the challenge signed with the user private key or it may simply contain some hash of the challenge combined with some other secret shared by the user and the service provider.
  • a check is made as to whether .the mobile device is directly connected to service provider. If the mobile device is connected to the service provider through some communication channel, the authentication module sends the secure response back to the service (step 312) . If the mobile device is not connected to the service provider, the authentication module shows on the mobile device screen the secure response or part of it, leaving to the user the task to type the information in the authentication form of the service site shown on the terminal (step 314). This ends the authentication process .
  • Figure 8 shows a variant of the preferred embodiment of the invention where the terminal itself 160 is the service provider: the service may be the access to some protected resource of the terminal (e.g. files, directories, databases) .
  • the terminal 160 has a screen 30 and a graphical user interface.
  • the mobile device 10 is equipped with a camera 12 and carries the user digital identities.
  • the mobile device 10 may be connected to the terminal 160 through some kind of network or connection 170 (e.g. WLAN, Bluetooth) . If the mobile device 10 is not directly connected to the terminal, transmission of all the data from the terminal to the mobile device implied by the registration and authentication processes may take place through images displayed on the terminal screen and acquired by the mobile device through its camera.
  • some kind of network or connection 170 e.g. WLAN, Bluetooth
  • FIG. 9 shows an alternative embodiment of the invention where, with respect to the embodiment shown in figure 1, the mobile device 10 and the terminal 16 are equipped with an NFC module and therefore connected by an NFC channel.
  • a pictorial representation of the same alternative embodiment of the invention shows the terminal 16 being connected to an NFC device.
  • the terminal may be equipped with an embedded NFC module.
  • the mobile device 10 is also equipped with an NFC module.
  • the mobile device carries the user digital identities.
  • the terminal and the mobile device are connected to some network, e.g. Internet.
  • the service provider server is connected to the mobile device and the terminal through the same networks.
  • FIG 11 shows another embodiment of the invention in which, differently from the above-mentioned embodiment, the mobile device 10 is not directly connected to the service provider 14.
  • the mobile device 10 has two alternatives to send data to the service provider 14: the first is showing them on its display so that the user can type them on the service site shown on the terminal and submitting them to the service provider. The second is by sending them back to the terminal using the existing NFC channel and letting the terminal transmit them to the service provider.
  • the mobile device could be offline (i.e.
  • Figure 12 shows a variant of the alternative embodiment of the invention where the terminal itself 160 is the service provider: the service may be the access to some protected resource of the terminal (e.g. files, directories, databases) .
  • the terminal may be connected to an external NFC device 50.
  • the terminal may be equipped with an embedded NFC module.
  • the mobile device is also equipped with an NFC module 50.
  • the terminal and the mobile device are connected through an NFC channel 55: they may also be connected through some other type of network or connection B (e.g. WLAN, Bluetooth) .
  • the communications between the mobile device and the terminal may take place through the NFC channel 55 or through the alternative communication channel B which connects them.
  • the registration and authentication processes proceed as stated for the alternative embodiment of the invention, with the terminal as a substitute for the service provider.
  • the communications between the mobile device and terminal, between the terminal and the service provider and between the mobile device and the service provider may be encrypted to prevent snooping.
  • the terminal and the mobile device may use, for instance, SSL to protect their communications over HTTP with the service provider.
  • the modules installed on the mobile device i.e. registration and authentication module
  • the user digital identities stored on the mobile device may be protected by a password or a PIN.
  • any use of the digital identity may require the user to type the password or PIN: this prevents the use of the digital identities stored on it by a thief, when the mobile device is stolen.
  • the password or PIN that protects digital identities may be replaced by a stronger protection method, like an iris scan through the mobile device camera or some other biometric recognition methods. In this way the user does not have to remember any password or pin to access and use his digital identities on the mobile device: the mobile device authenticates him simply through his unique biometric data.
  • the identity management module 24 enables the user to modify one of his digital identities stored on the mobile device; the same module may autonomously send to each service provider with which the identity is registered the modified version of the digital identity. Some restrictions apply when the digital identity has been certified by a service provider or some other authority. In this case the user can not modify the digital identity without enrolling in a new certification process with the authority that certified the identity.
  • the identity management module 24 enables the user to delete one of his digital identities stored on the mobile device; deleting a user digital identity may imply unregistering it with every service provider with which it has been registered. In this case, the identity management module in collaboration with the registration module may autonomously inform of the deletion each service provider where the identity has been registered, using one of the communication channels available on the mobile device, for example sending it an SMS or accessing a specific URL.
  • the identity management module may create and store a service provider digital identity based on the service provider identifying data received during the registration process.
  • the identity management module enables the user to delete the service provider digital identities stored on the mobile device; deleting a service provider digital identity may imply unregistering the user with it.
  • the identity management module in collaboration with the registration module may autonomously inform of the deletion the relate ' d service provider using one of the available communication channels (e.g. SMS, Internet).
  • the identity management module enables the user to review which of his digital identities are registered with a given service provider. The same module enables the user to review the list of service providers a given 5. user digital identity is registered with.
  • the identity management module 24 collaborates with the registration module 20 and authorization module 22 during the registration and authorization process, respectively. In these processes,0 given S. service provider identifier, the identity management module retrieves the user digital identity registered with the related service provider.
  • the identity management module enables the user to export a single digital identity or5 the entire content of the identity database in a ciphered format and import it into a different mobile device. This allows the user to preserve his data even when he changes mobile device.
  • Example screens of display for an identity0 management, registration and authentication module are shown in Figure 13-18.
  • Figure 13 shows a screen comprising an identity card window 60 that includes a title bar 61, which may display the name of the identity5 or some other related title, a toolbar 62, which may display a number of buttons, and, in the central part, the data 63 of the selected digital identity, for example name, nickname, address, telephone number, e-mail.
  • the toolbar 62 may include a button 64 to edit the selected field of the digital identity, a button 65 to register or certify the selected digital identity, a button 66 to review the service providers which the identity is registered with, a button 67 to add one or more fields (e.g. organization, ⁇ photo) and a button 68 to delete an existing field.
  • Figure 14 shows a screen comprising the user digital identity list window 70 that includes a title bar 71, a toolbar 72 and, in the central part, a list 73 of digital identities stored on the mobile device.
  • the toolbar 72 may include a button 74 to open the selected digital identity detail window, a button 75 to register or certify the selected digital identity, a button 76 to search among the stored digital identities, a button 77 to add a new digital identity and a button 78 to delete an existing one.
  • Figure 15 shows a screen comprising an identity field edit window 80 that includes a title bar 81, a menu bar 82 and, in the central part, the field 83 to edit with its value 84.
  • the menu bar may contain an item to confirm the field value (i.e. OK) and an item to discard the changes made (i.e. Cancel).
  • Figure 16 shows a screen comprising a registration window 90 that, includes a title bar 91, a button 92 to confirm registration, a button 92 to abandon the registration and in the central part a summary of the service provider 93 and the user digital identity 94 involved in the process.
  • Figure 17 shows a screen comprising an authentication window 400 that includes a title bar 401, a button 402 to confirm authentication, a button 403 to abandon the authentication and in the central part a summary of the service provider 404 and the user digital identity 405 involved in the authentication process.
  • Figure 18 shows a screen comprising an authentication result window 500 that includes a title bar 501, a button 502 to end the authentication process and in the central part the secure response 503 generated by the authentication module.
  • the method according the invention reduces the registration and authentication processes to a simple gesture like waving the mobile device near the terminal (i.e. "touching" the terminal with the mobile device) or taking a snapshot of an image shown on the terminal screen. This spares the user to remember and type his credentials (e.g. username and password) and saves him from piracy and identity theft.
  • the proposed system also promotes identity portability allowing the user to reuse the same identity on several service providers and on several machines.
  • identities are stored on the user's mobile device, which typically is strictly personal. Hence the user can carry always with him his own digital identities. This is a guarantee of reuse and privacy.
  • the method gives users the possibility to track identities usage and dependencies: this improves user's awareness and confidence.
  • the near field interaction on which the whole system is based implies simply to wave the mobile device near the terminal or to take a snapshot of an image shown on the terminal; both of these operations are simple and intuitive.
  • the proposed method does not require any configuration by the user to be used, since no configuration is needed to establish an NFC channel between the terminal and the mobile device or to take a snapshot. This saves the user from tricky configuration processes in which to set the value of incomprehensible technical parameters.
  • NFC technologies as such are themselves intuitive and easy to use: this automatically generates trust and confidence in the user, who always feels in control of what is happening. Moreover, the short range in which communication takes place reduces to a minimum privacy breach risks: therefore the system can be used with equal confidence at home or at a kiosk in a public place.
  • the method has an intuitive graphical user interface that makes user' s interaction simple and fun.
  • the system is not only an authentication token; it also offers the capability of storing and managing user' s personal data and credentials for multiple online services. Unlike a simple authentication token, it gives the user the control over the set of information given to each service provider; this is interesting for users concerned with their privacy. It gives also the possibility to reuse personal data and credentials, saving time and annoyance in the registration process.
  • the possibility to use even simple optical technologies allows the system to adapt to a multitude of different technological contexts. In the poorest ones, where no NFC reader is available, user can use his mobile device camera. In the most advanced ones, user can take full advantage of the system using NFC technologies (e.g. RFID) . In those cases the system gives its best fully automating some processes and making them transparent to the user.
  • System security may rely on the security of the mobile device smart card that preserves every secret and key of the application.
  • the authentication process is based on a challenge/response protocol.
  • the response is generated either from a secret shared between user and service provider during a simple registration or from the user's private key, the public key of which had been certified by service provider during a certified registration.
  • Certified registration has one important advantage over simple .registration: the user's digital identity involved in the registration becomes "certified", which means that a digital certificate guarantees its validity. This is particularly useful in a federated environment, that is an environment in which a set of service providers use and trust common certification/identity servers and in some cases share the registration/authentication process; in fact, in such an environment the user could use a certified identity to authenticate to a service provider whom he never registered with but who trusts the service provider that certified the presented identity [00116] Thus, certified registration allows the system to integrate and work equally well in a federated identity environment.
  • the proposed registration and authentication methods are as secure as the safest authentication devices (i.e. smart card, RSA token) and can be used in any context in which these same devices can be used.
  • safest authentication devices i.e. smart card, RSA token
  • the proposed invention including the registration and authentication methods above-mentioned, is implemented by software installed on a mobile device. This implies negligible distribution cost and no need for the user to adopt an additional device to authenticate himself with the service provider.
  • the proposed invention is more intuitive and easy to use than the present authentication devices. It does not require the adoption of cumbersome and difficult to manage proprietary technologies. It supports either symmetric or asymmetric keys; therefore it is quite easy to integrate it with existing infrastructures.
  • the invention does not includes only an authentication method, but it includes also a compact identity management tool that enables the user to manage and control the use of his digital identities and automates some procedures related to the registration and authentication processes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention is related to a registration method of a user with a service provider, comprising the steps of creating and storing on a mobile device at least one digital identity, establishing a communication between the mobile device and the service provider, exchanging information between the mobile device and the service provider in order to generate some secret data associated both to a chosen digital identity and to the service provider, and storing said secret data both on the mobile device and at the service provider. The invention is also about an authentication method comprising the steps of creation by the service provider a challenge containing a service provider identifier, encoding of the challenge, delivering the encoded challenge to the user, acquiring the challenge through the mobile device, extracting the service provider identifier and automatically selecting of the digital identity registered with said service provider, generating a response to the challenge and sending the response back to the service provider together with the identifier of the chosen digital identity.

Description

DESCRIPTION
"Method and mobile device for registering and authenticating a user with a service provider"
[0001] It is the object of the present invention a method for registering and authenticating a user with a service provider. Moreover, the invention deals with a mobile device suitable to implement such a method. [0002] Internet is undoubtedly the most important business channel available nowadays; a huge number and variety of transactions take place through it, ranging from business to entertainment. Since its beginning, Internet has always been greedy for user personal data in order to tailor its content to the customer's need and to gather precious information and statistics about consumer behavior.
[0003] It is a common experience that to access even to the smallest content or service often the user has to register on the content or service provider web site. The registration itself implies to give user personal data and, in the simplest case, to associate them with a couple of secrets (i.e. username, password) known only to the user and service provider. The constant repetition and proliferation of personal data^ greatly lessen the control that the user has on his personal data. The protection of user personal data is left to content or service provider and depends, to a large extent, on the strength and security of authentication method adopted by the same provider to let the user access its personal data and the offered content or service. However, the <username, password> authentication method, in spite of being the most widely adopted method to protect user's, data and ascertain its identities, is the least secure. Furthermore, to reduce the annoyance of repetition, the user usually pays little or no attention when it comes to analyze the service provider privacy policy, choose and keep good secrets, ending up using the same username and password for almost all service providers he deals with and/or, even worst, writing them down on a piece of paper that could be easily lost or stolen. [0004] These habits expose the user to several threatens, including identity theft, i.e. the misuse of someone else personal information to commit fraud. Personal information may include name, address, social security number, date of birth, and all other personal data that in a certain context uniquely describe and identify a subject. In the digital world, this set of information is often referred to as "digital identity" and from now on this term will be used with this meaning. [0005] Online fraud and identity theft are growing dangers to online economy: they prevent consumer's trust in the new technologies and keep many potential small companies from offering added value online services to the users. [0006] To fight these plagues, service providers especially in the financial market - are evaluating two different and complementary approaches to protect customer's data and crush account hacking: single sign on and strong authentication solutions. Single sign on allows a user to log on with a single username and password to access a plurality of resources. This, by itself, does not relieve the user from the burden of remembering a plurality of usernames and passwords, though it can greatly reduce their number. [0007] On the other side strong authentication solutions like digital certificates, smart cards and RSA tokens, allow the user to authenticate in a very secure way without remembering a multitude of credentials. These solutions anyway have never gained wide acceptance among the users and the service providers for several reasons: digital certificates are quite complex for the user to understand and manage and are uniquely associated with the device on which they are installed; smart cards and RSA or similar hardware tokens are simpler but more expensive and force user to carry an additional electronic device in his pocket. [0008] In addition to a strong authentication method to protect the access to personal data, the user needs an identity management tool to keep track of, store and efficiently manage his increasing number of credentials and digital identities and regain control on his own data.
[0009] Though the present discussion started from Internet and the need for a strong network authentication method, all these remarks are valid in every situation where the user authentication is necessary to access a resource, including, but not limited to, personal computer applications, online services, electronic mail, web sites and automatic teller machines (ATM) . Every situation that requires user authentication implies some previous form of user registration, be it the registration of the user on a personal computer or on a web site or the opening of a bank account before using an ATM.
[0010] Object of the present invention is to devise and make available to the user a registration and authentication method that solve the above mentioned inconveniences with respect to the known techniques therefore satisfying the said need for security and privacy of user personal data.
[0011] The present invention provides a mechanism for effective and secure user registration and authentication by means of a mobile device, such as a personal digital assistant or a mobile phone. This invention also provides a related mechanism for creating, storing and managing digital identities in the same mobile device. The invention can be realized by any combination of software, firmware and hardware modules installed or embedded on a mobile device.
[0012] According to a general embodiment of the invention, the registration method of a user with a service provider includes the following steps: [0013] - creating and storing on a mobile device at least one digital identity;
[0014] - establishing a communication between the mobile device and the service provider; [0015] - exchanging specific information between the mobile device and the service provider in order to generate some secret information uniquely associated to the chosen user digital identity and to the service provider; [0016] -• storing the said generated secret information on the mobile device and at the service provider. [0017] In a preferred embodiment of the invention, the registration method includes the following steps: [0018] - supplying to the mobile device some information related to and identifying the service provider; [0019] - generating through the mobile device some secret data uniquely associated to a chosen user digital identity and to the above-mentioned service provider; [0020] - sending to the service provider the generated secret data together with the username or other identifying information related to the chosen user digital identity; and
[0021]- storing the generated secret data.
[0022] Preferably, the service provider information is delivered to the mobile device through a page of the service site (e.g. web page). [0023] Still more preferably, the service provider delivers to the user an address or a reference to an address where the user can download the service provider information. This address or reference to it is delivered in an encoded form through a page of the service site and it is read and decoded from the mobile device.
[0024] In a preferred embodiment of the invention, the mobile device is equipped with a camera and the terminal through which the user is accessing the service has a graphical user interface (i.e. a screen and the ability to show characters as well as images on .it) . In this case, the service provider prompts for user registration displaying on the terminal screen an image (i.e. typically a 2D-barcode image) encoding some identifying data (e.g. service provider domain name). When prompted for registration from the terminal, the user takes a picture of the image with his mobile device's camera. The mobile device decodes the acquired image, it extracts and saves contained data and shows the list of user digital identities available for the registration: the user selects the appropriate digital identity to be registered with the service provider being accessed. If the service provider being accessed and the user mobile device can communicate through some kind of network (e.g. internet), the mobile device sends the selected digital identity and some related secure material (e.g. PKI certificate, username and password) directly to service provider. Otherwise the mobile device displays the secure material or part of it on its screen: the user types the data shown on mobile device display onto the terminal and completes registration.
[0025] According to a general embodiment of the invention, the authentication method of a user with a service provider which he has registered through the above mentioned registration method includes the following steps:
[0026] -generating, by the service provider side, a challenge that contains enough information for the user to identify the service provider and/or to generate a secure response that uniquely identify the user; • [0027] - encoding the challenge; [0028] - delivering the encoded challenge to the user; [0029] - the user acquiring the challenge with his mobile device;
[0030] - extracting the service provider identifier, if any, and automatically selecting the user digital identity registered with that service provider; [0031] - generating a secure response to the challenge and sending it back to the service provider together with the username or other identifying information of the selected user digital identity.
[0032] According to a preferred embodiment of the invention, the challenge contains a service provider identifier; the mobile device extracts from the challenge this identifier and automatically selects the user digital identity registered with that service provider.
[0033] In a preferred embodiment of the invention, the service provider prompts for user authentication displaying on the terminal screen an image (i.e. typically a 2D-barcode image) that encodes some newly generated data known as "challenge". When prompted for authentication from the terminal, the user takes a picture of the image with his mobile device's camera. The mobile device decodes the acquired image extracting contained data: from such data it identifies which service provider is prompting for authentication among those already known and stored on the mobile device. It then retrieves the user digital identity registered with that service provider. The mobile device uses the challenge and/or the secure material associated with the retrieved digital identity to generate a secure response. If the service provider being accessed and the user mobile device can communicate through some kind of network (e.g. internet), the mobile device sends back the secure response directly to the service provider. Otherwise, the mobile device displays the secure response or part of it on its screen: the user types the data displayed on the mobile device onto the terminal and completes the authentication. [0034] In another embodiment of the present invention, the mobile device and the terminal are NFC devices, i.e. they are connected to or equipped with an NFC module. If the mobile device is a passive NFC device, then the terminal should be an active NFC device; if the mobile device is an active NFC device, then the terminal should be a passive NFC device. This way an NFC channel exists between the terminal and the mobile device. [0035] In this case, the service provider prompts for user registration sending its identity data (e.g. service provider domain name) to the terminal and from it to the mobile device through the existing NFC channel. When prompted for registration from the terminal, the user brings the mobile device near it in order to establish the NFC channel and the communication to take place. The mobile device receives, decodes and stores the servi'ce provider data and shows the list of user digital identities available for the registration: the user selects the appropriate digital identity to be registered. If the service provider being accessed and the user mobile device can communicate through some kind of network (e.g. internet), the mobile device sends back the selected digital identity and some related secure material (e.g. PKI certificate, username and password) directly to the service provider: it sends the data either through the NFC channel and/or through any other supported communication channel (e.g. http connection) that can reach the service provider. Otherwise the mobile device displays the secure material or part of it on its screen: the user types the data shown on mobile device display onto the terminal and completes registration. [0036] As for the authentication process in case of an NFC connection, the service provider prompts- for user authentication sending the "challenge" to the terminal and from it to the mobile device through the existing NFC connection. When prompted for authentication from the terminal, the user brings the mobile device near it in order to establish the NFC channel and the communication to take place. The mobile device receives and decodes the data: from this data it identifies which service provider is prompting for authentication among those already known and stored on the mobile device. It then retrieves the user digital identity registered with that service provider and it uses the challenge and/or the secure material associated with the retrieved user digital identity to generate a secure response. If the service provider being accessed and the user mobile device can communicate through some kind of network (e.g. internet), the mobile device sends back the secure response directly to the service provider. Otherwise, the mobile device displays the secure response or part of it on its screen: the user types the data shown on mobile device display onto the terminal and completes authentication. [0037] The user digital identities stored on the mobile device may be protected by a password or a PIN. [0038] The communications between the mobile device and terminal may be encrypted to prevent snooping.
[0039] The invention provides also a mechanism to manage user digital identities that is to create and store on the mobile device a new digital identity or to certify, modify or delete an existing one. [0040] The user can create a new digital identity typing directly on the mobile device the data of the identity. Alternatively, the user can create a digital identity elsewhere (e.g. terminal) and send it to the mobile device through some kind of communication channel supported by the device (e.g. Bluetooth) . The user can also modify an existing digital identity in the same way. The mobile device may in turn send the modified version to all the service providers the modified digital identity is registered with. [0041] The user can delete an existing digital identity. The mobile device may in turn inform of the -deletion all the service providers the deleted digital identity is registered with. [0042] Finally, the user can certify an existing digital identity: the mobile device creates a PKI certificate signing request (i.e. CSR) based on the data of the identity, sends it to some certification authority through some kind of communication channel supported by the device (e.g. SMS), receives the related certificate and stores it associated to the digital identity whose data was used to create it.
[0043] Further characteristics, objects and advantages of the invention will be apparent from the following detailed description of examples of preferredembodiments, which are indicative and not limitative,
( with re-ference to the accompanying drawings, in which: [0044] - Figure 1 is a schematic illustration of an exemplary system architecture to implement the registration/authentication method in accordance with the present invention;
[0045] - Figure 2 is a block diagram of an exemplary mobile device in accordance with the present invention; [0046] - Figure 3 illustrates a pictorial representation of the system architecture shown in Figure 1; [0047] - Figure 4 illustrates a pictorial representation of an exemplary system architecture in accordance with an alternative embodiment of the present invention; [0048] - Figure 5 illustrates an exemplary flow diagram of an exemplary simple registration process in accordance with the present invention;
[0049] - Figure 6 illustrates an exemplary flow diagram of an exemplary certified registration process in accordance with the present invention; [0050] - Figure 7 illustrates an exemplary flow diagram of an exemplary authentication process in accordance with the present invention;
[0051] - Figure 8 is a schematic illustration of an exemplary system architecture to implement the registration/authentication method in accordance with an alternative embodiment of the present invention; [0052] - Figure 9 is a schematic illustration of another exemplary system architecture to implement the registration/authentication in accordance with an alternative embodiment of the present invention; [0053] - Figure 10 illustrates a pictorial representation of the system architecture shown in Figure 9; [0054] - Figure 11 illustrates a pictorial representation of another exemplary system architecture in accordance with an alternative embodiment of the present invention; [0055] - Figure 12 is a schematic illustration of another exemplary system architecture to implement the registration/authentication method in accordance with an alternative embodiment of the present invention; [0056] - Figures 13-18 are example screens of display of the mobile device illustrating the user interface windows for the identity management and the registration and authentication processes in accordance with the present invention. [0057] The present invention will be described herein in terms of functional block components, screen shots, J optional selections and various processing steps. Such functional blocks may be realized by any number of hardware, firmware and/or software components configured to perform the specified functions. For example, the present invention may employ various integrated circuit components, e.g. memory elements, processing elements, logic elements, look up tables and similar, which may carry out a variety of functions under the control of one or more microprocessors or other control devices. Similarly, the software components of the present invention may be implemented by any programming and/or scripting language such as C, C++, Java, Perl, JavaScript, extensible markup language (i.e. XML), JavaCard and many others with various algorithm being implemented with any combination of data structures, objects, processes, routines or other programming elements. The present invention may employ, unless noted, any number of conventional techniques for data transmission, signaling, data processing, network control and the like.
[0058] In the description of the invention some terms will be used with the following meaning:
[0059] Protocol: is a generic sequence of operations, processing and/or communication steps as well as the data structures and codes involved in those operations and/or steps. A well known example of protocol is the Hypertext Transfer Protocol (i.e. HTTP) which is one of the protocols which Internet is based on. [0060] Network: is a generic set of electronic devices and/or computers' connected together, including the connections and communication protocols between them. The connections may include wire, wireless communication links, fiber optic cables and the like. A well known example of network is Internet. Unless noted, this invention does not restrict to, or prescribe, any particular type of network.
[0061] Terminal : is a generic electronic device having a user interface (e.g. personal computer) through which a person can access and use a service, an application and/or content. Unless noted, this invention does not restrict to, or prescribe, any particular type of terminal .
[0062] Service: a generic service, application and/or content that can be accessed and used through some functioning terminal. Unless noted, this invention does not restrict to, or prescribe, any particular type of service .
[0063] Service provider: is any subject that supplies a service (e.g. a bank, which supplies an online banking service) . In some cases, the service provider may be the terminal itself (e.g. a computer, which provides access to a specific content stored on it) . Unless noted, this invention does not restrict to, or prescribe, any particular type of service provider. [0064] User: is any subject that accesses and uses a service trough some functioning terminal.
[0065] Service site: is the user interface of a service through which a user can access and use the service (e.g. a web site for an online service, an ATM user interface) . Unless noted, this invention does not restrict to, or prescribe, any particular type of service site. [0066] Digital identity: is a set of data that in some context describes and uniquely identifies a subject. A subject is, for example, a user or a service provider. A subject can have one or more digital identities; any digital identity refers to one and only one subject. [0067] Identity card: a generic representation of a digital identity data according to some predefined format (e.g. VCard format) . Unless noted, this invention does not restrict to or prescribe any particular format.
[0068] User account: is a set of user personal data that are stored and used by a service provider to describe and uniquely identify a user. Typically a user account reflects the digital identity that the user registered with the service provider.
[0069] Registration: is the process of enrollment of a subject (e.g. a person) in the service user group of the service that the subject wants to access and use. The registration usually requires a subject to supply his identifying data (e.g. first name, last name, e-mail) to the service provider and typically ends with the creation of a related user account. If the process completes successfully the subject who has applied for registration becomes a registered user of the service. ' [0070] Authentication: also known as "log in" process, is the process through which the service provider recognizes a subject as being one of the legitimate registered users of the service it provides. If the process completes successfully the subject, i.e. the user, is allowed to access and use the service. The authentication typically entails a subject to provide service provider with enough information (e.g. username and password) to recognize him as a legitimate user with some degree of certainty. The safer is the authentication process, the higher is the degree of certainty.
[0071] Server: is a set of one or more electronic devices through which the service provider supplies its service. Unless noted, this invention does not restrict to, or prescribe, any particular type or number of servers. [0072] Digital certificate: is a set of data that binds a PKI public key to a digital identity in a secure and unique way. An example of digital certificate is an X509 certificate, commonly used on Internet to certify the user and service provider identity. Unless noted, this invention does not restrict to, or prescribe, any particular type of certificate.
[0073] NFC: is a short-range, wireless, contactless communication technique that allows communications to take place between devices which either touch or are momentarily held close together. The technology works via magnetic field induction and operates on an unlicensed radio frequency band. NFC enables devices to share information either in one direction or both. NFC is an open platform technology based on Radio Frequency Identification technology and is an approved ISO standard (ISO/IEC 18092 and 21481) .
[0074] The following paragraphs describes in detail different embodiments of the present invention. [0075] Figure 1 is a schematic illustration of the devices involved in the registration and authentication of a user with a service provider, in accordance with a preferred embodiment of the invention. The user has a mobile device 10, preferably equipped with a camera 12 and connected to a service provider 14 through a network B. To the same service provider 14 a terminal 16 is connected through the network A. The terminal 16 may be for example a personal computer or an ATM. In figure 1, the service provider 14 is represented by its own server 15 connected to the terminal 16 and to the mobile device 10 through the networks A and B. The server 15 provides a service such as, for example, an on-line banking service, an e-commerce service or the access to some kind of qualified content. The network A that connects the terminal 16 to the service provider 14 may be different from the network B that connects the mobile device 10 to the service provider 14. The user accesses and uses the service supplied by the service provider 14 through the terminal 16. [0076] As shown in Figure 2, according to an embodiment of the invention the mobile device 10 includes a registration module 20, an authentication module 22, an identity management module 24 and a permanent memory 26 to store the user digital identities. The registration module 20 and the authentication module 22 manage respectively the registration and the authentication process as explained in the following paragraphs. The identity management module 24 manages the creation, modification, deletion and any other operation related to user's and service provider's digital identities stored on the mobile device.
[0077] More in detail, the identity management module 24 enables the user to create on his mobile phone one or more digital identities. Created identities appear as a set of digital identity cards. Each card carries a number of standard fields (as defined by some standard, e.g. vCard) dedicated to personal data and a small set of private field that stores information about secrets and digital certificates associated to the identity. Each user digital identity is associated with the list of service providers it is registered with. Each digital identity resides in the permanent storage 26 of the mobile device. Each user digital identity can be certified by a service provider or by a trusted third party authority, as described in the following paragraphs .
[0078] The modules that implement the invention may be integrated with all or part of the other hardware (e.g. camera, NFC element), software (e.g. web browser) or firmware components of the mobile device 10. [0079] The Figure 3 shows a pictorial representation of an embodiment of the invention in which the terminal 16 has a screen 30 and a graphical user interface (i.e. GUI, which is a user interface that is able to show not only characters but also images) . [0080] The mobile device 10 may be, for example, a mobile phone, a handheld computer or a personal digital assistant (i.e. PDA). The mobile device 10 is equipped with a camera 12 and carries the user digital identities. The terminal and the mobile device are connected through some kind of network A, B (e.g. Internet) to the server 15 of the service provider 14.
[0081] The Figure 4 shows an alternative embodiment of the invention, in which the mobile device 10 is not directly connected to the service provider 14. In this case transmission of data needed for the registration and authentication processes from the service provider 14 to the mobile device 10 takes place through images 40 displayed on the service site 38 on the terminal 16 and acquired by the mobile device 10 through its camera 12. On the other side, the mobile device 10 displays the data to be sent to the service provider 14 on its screen: data are effectively sent to the service provider 14 when the user types them on the service site shown on the terminal and submits them to the service provider. Lack of connection between the mobile device 10 and the service provider 14 may happen' for several reasons: the mobile device could be offline (i.e. disconnected from any network) or it could be connected to a network that does not reach the service provider; or it could be connected to a network that reaches the service provider but the user chooses to avoid connection to save on his connection bill. The lack of a connection between the mobile device and the service provider neither changes the nature of the invention nor alters the sequence of functional stepsv that the present invention implies. [0082] The flowchart of Figure 5 shows the operations of the mobile device during the registration process in accordance with the preferred embodiment of the present invention. The service provider 14 prompts for user registration displaying on the service site 38 on the screen 30 of the terminal 16 an image 40 (i.e. a 2D- barcode image) that encodes the service provider identifying data or a reference to them. These data could be, ' for example, its domain name or any other data structure that contain enough data that uniquely identify the service provider. The registration process starts when the prospective user takes a picture of the image 40 shown on the screen 30 of the terminal 16 using the camera 12 of his mobile device 10 (step 100) . The mobile device 10 acquires the image: the registration module 20 on the device 10 receives and decodes the acquired image, extracting the service provider data (step 102) . A check is made in order to establish if a reference to service provider identifying data is received (step 104) . This reference may be, for example, a URL or a URI (URL, i.e. Universal Resource Locator; URI, i.e. Universal Resource Identifier) pointing to the Internet location where to download the data from. If a reference is received, the registration module resolves the reference accessing the network (step 106) and downloading the data using the given URL or URI (step 108) . If a reference is not received, data fully describing and identifying the service provider are received. The mobile device 10 shows the service provider data on the screen for the user review and acceptance (step 110) . A check is made (step 112) in order to establish if the received service provider data are trustworthy according to some trust criterion (e.g. they are signed with a valid and trusted key) . If data are not deemed trustworthy they are discarded and the registration process ends (step 114). If data are deemed trustworthy, the registration module 20, collaborating with the identity management module 24, retrieves the user digital identities stored on the mobile devices and available for registration: the mobile device displays the list of available user digital identities on its screen (step 116) . The user selects the identity to be registered with the service provider (step 118) . The registration module 20 receives the choice of the user and generates some secure and secret material (e.g. secret key) associated to the selected digital identity (step 120) . A check is made as to whether the mobile device is directly connected to the service provider. If the mobile device is connected to the service provider through some kind of network or connection, the registration module sends the selected user digital identity data and the associated secure material to the service provider (step 122). If the mobile device is not connected to the service provider, it shows on its screen the user digital identity data and/or the associated secure material or part of it, leaving to the user the task to type the information in the registration form of the service site shown on the terminal (step 124). Finally, the registration module 20, collaborating with identity management module 24, creates a new digital identity for the service provider which the user has registered with and stores it in the device permanent storage, associating it to the user digital identity used in the registration (step 126) . This ends the registration process. [0083] In accordance with a variant of the° registration process illustrated by the flowchart shown in figure 6, in which the steps from 100 to 118 are the same of the above described registration process, after the user selects the identity to be registered with the service provider (step 118), the registration module 20 receives the choice of the user ■ and generates a couple of asymmetric keys (i.e. PKI keys) (step 220) . It also generates a PKI certificate signing request (i.e. CSR) based on the public key just created and the data of the selected user digital identity. The CSR and the keys are associated to the selected user digital identity (step 222) . The registration module 20 sends the CSR and the related user digital identity data to the service provider 14 (step 224) . Based on the service provider data the registration module 20, collaborating with identity management module 24, also creates a new digital identity for the service provider which the user is registering with and stores it in the permanent storage of the mobile device (step 226) . The service provider (or some other certification authority which the CSR is forwarded to) receives the CSR and, based on it, produces a valid public key certificate that it sends back to the mobile device (step 228) . This last receives the certificate: the registration module stores and associates it to the user digital identity used to create the CSR (step 230). This ends the registration process. [0084] With reference to Figure 7, a flowchart is shown illustrating the operations of the mobile device 10 during the authentication process in accordance with one embodiment of the present invention. The service provider 14 prompts for user authentication displaying on the screen 30 of the terminal 16 an image (i.e. a 2D-barcode image) that encodes some newly generated unique data called "challenge". The challenge may include, for example, the service provider unique identifier and/or a randomly generated unique number (e.g. nonce) and/or a digital signature: in general, it contains enough information to indentify the service provider and/or to create a secure response that can identify the user with certainty. The authentication process starts when the prospective user takes a picture of the image shown on the terminal screen using his mobile device camera (step 300). The mobile device 10 acquires the image: the authentication module 22 on the device 10 receives and decodes the acquired image, extracts the encoded data and verifies their authenticity and integrity (e.g. verifying its signature) . From the same data the authentication module 22 extracts the challenge (step 302) and checks whether it contains enough information to identify the service provider among the providers already known and stored on the mobile device (step 304) . If it does not contain enough information to determine the service provider, the mobile device shows the list of stored service providers on its display (step 306) leaving to the user the task of choosing the service provider with which he is authenticating (step 307) . If it contains enough information to determine the service provider, the authentication module 22 automatically identifies the service provider among those stored on the device. Afterwards, the authentication module 22, collaborating with the identity management module 24, retrieves from permanent storage 26 the user digital identity registered with the given service provider (step 308). Based on the challenge and secure material associated to the retrieved user digital identity, the authentication module 22 generates a secure response (step 310). The secure response may contain, for example, the challenge signed with the user private key or it may simply contain some hash of the challenge combined with some other secret shared by the user and the service provider. A check is made as to whether .the mobile device is directly connected to service provider. If the mobile device is connected to the service provider through some communication channel, the authentication module sends the secure response back to the service (step 312) . If the mobile device is not connected to the service provider, the authentication module shows on the mobile device screen the secure response or part of it, leaving to the user the task to type the information in the authentication form of the service site shown on the terminal (step 314). This ends the authentication process .
[0085] Figure 8 shows a variant of the preferred embodiment of the invention where the terminal itself 160 is the service provider: the service may be the access to some protected resource of the terminal (e.g. files, directories, databases) . The terminal 160 has a screen 30 and a graphical user interface. The mobile device 10 is equipped with a camera 12 and carries the user digital identities. The mobile device 10 may be connected to the terminal 160 through some kind of network or connection 170 (e.g. WLAN, Bluetooth) . If the mobile device 10 is not directly connected to the terminal, transmission of all the data from the terminal to the mobile device implied by the registration and authentication processes may take place through images displayed on the terminal screen and acquired by the mobile device through its camera. On the other side, the mobile device shows on its display the information to be sent to the terminal, leaving the user with the task to type them directly on the terminal. The registration and authentication processes proceed as stated for the preferred embodiment of the invention, with the terminal as a substitute for the service provider. [0086] Figure 9 shows an alternative embodiment of the invention where, with respect to the embodiment shown in figure 1, the mobile device 10 and the terminal 16 are equipped with an NFC module and therefore connected by an NFC channel. [0087] Referring to Figure 10, a pictorial representation of the same alternative embodiment of the invention shows the terminal 16 being connected to an NFC device. Alternatively, the terminal may be equipped with an embedded NFC module. The mobile device 10 is also equipped with an NFC module. As in the previous embodiment, the mobile device carries the user digital identities. The terminal and the mobile device are connected to some network, e.g. Internet. The service provider server is connected to the mobile device and the terminal through the same networks.
[0088] Figure 11 shows another embodiment of the invention in which, differently from the above-mentioned embodiment, the mobile device 10 is not directly connected to the service provider 14. In this case, transmission of all the data needed for the registration and authentication processes from the service provider to the mobile device take place through the NFC channel that exists between the terminal and the device. On the other side, the mobile device 10 has two alternatives to send data to the service provider 14: the first is showing them on its display so that the user can type them on the service site shown on the terminal and submitting them to the service provider. The second is by sending them back to the terminal using the existing NFC channel and letting the terminal transmit them to the service provider. Such lack of direct connection between the mobile device and the service provider may happen for several reason: the mobile device could be offline (i.e. disconnected from any network) or it could be connected to a network that does not reach the service provider, or it could be connected to a network that reaches the service provider but the user chooses to avoid connection to save on his connection bill. The lack of a connection between the mobile device and the service provider neither changes the nature of the invention nor alters the sequence of functional steps that the present invention implies.
[0089] In the presence of an NFC channel the registration process, being it the simple or the certified one, and the authentication process are analogous to those already mentioned above; the only difference is that the data exchange between the terminal and the mobile device takes place through the NFC channel instead of through the visualization of an image, its acquisition through1 the mobile device camera and its decoding.
[0090] Figure 12 shows a variant of the alternative embodiment of the invention where the terminal itself 160 is the service provider: the service may be the access to some protected resource of the terminal (e.g. files, directories, databases) . The terminal may be connected to an external NFC device 50. Alternatively, the terminal may be equipped with an embedded NFC module. The mobile device is also equipped with an NFC module 50. The terminal and the mobile device are connected through an NFC channel 55: they may also be connected through some other type of network or connection B (e.g. WLAN, Bluetooth) . The communications between the mobile device and the terminal may take place through the NFC channel 55 or through the alternative communication channel B which connects them. The registration and authentication processes proceed as stated for the alternative embodiment of the invention, with the terminal as a substitute for the service provider. [0091] Advantageously, whatever the embodiment of the invention, the communications between the mobile device and terminal, between the terminal and the service provider and between the mobile device and the service provider may be encrypted to prevent snooping. The terminal and the mobile device may use, for instance, SSL to protect their communications over HTTP with the service provider. The modules installed on the mobile device (i.e. registration and authentication module) may be configured in order to encrypt/decrypt the data transferred. [0092] Advantageously, the user digital identities stored on the mobile device may be protected by a password or a PIN. In such a way, any use of the digital identity may require the user to type the password or PIN: this prevents the use of the digital identities stored on it by a thief, when the mobile device is stolen. On the other side, it allows to remember only one mobile device password or PIN to access a plurality of services, systems and resources. In some sensitive cases, the password or PIN that protects digital identities may be replaced by a stronger protection method, like an iris scan through the mobile device camera or some other biometric recognition methods. In this way the user does not have to remember any password or pin to access and use his digital identities on the mobile device: the mobile device authenticates him simply through his unique biometric data.
[0093] The identity management module 24 enables the user to modify one of his digital identities stored on the mobile device; the same module may autonomously send to each service provider with which the identity is registered the modified version of the digital identity. Some restrictions apply when the digital identity has been certified by a service provider or some other authority. In this case the user can not modify the digital identity without enrolling in a new certification process with the authority that certified the identity. [0094] The identity management module 24 enables the user to delete one of his digital identities stored on the mobile device; deleting a user digital identity may imply unregistering it with every service provider with which it has been registered. In this case, the identity management module in collaboration with the registration module may autonomously inform of the deletion each service provider where the identity has been registered, using one of the communication channels available on the mobile device, for example sending it an SMS or accessing a specific URL.
[0095] For each service provider with which a user digital identity has been registered, the identity management module may create and store a service provider digital identity based on the service provider identifying data received during the registration process. The identity management module enables the user to delete the service provider digital identities stored on the mobile device; deleting a service provider digital identity may imply unregistering the user with it. In this case, the identity management module in collaboration with the registration module may autonomously inform of the deletion the relate'd service provider using one of the available communication channels (e.g. SMS, Internet). [0096] The identity management module enables the user to review which of his digital identities are registered with a given service provider. The same module enables the user to review the list of service providers a given 5. user digital identity is registered with.
[0097] As already said, the identity management module 24 collaborates with the registration module 20 and authorization module 22 during the registration and authorization process, respectively. In these processes,0 given S. service provider identifier, the identity management module retrieves the user digital identity registered with the related service provider. [0098] Advantageously, the identity management module enables the user to export a single digital identity or5 the entire content of the identity database in a ciphered format and import it into a different mobile device. This allows the user to preserve his data even when he changes mobile device. [0099] Example screens of display for an identity0 management, registration and authentication module are shown in Figure 13-18.
[00100] Particularly, Figure 13 shows a screen comprising an identity card window 60 that includes a title bar 61, which may display the name of the identity5 or some other related title, a toolbar 62, which may display a number of buttons, and, in the central part, the data 63 of the selected digital identity, for example name, nickname, address, telephone number, e-mail. The toolbar 62 may include a button 64 to edit the selected field of the digital identity, a button 65 to register or certify the selected digital identity, a button 66 to review the service providers which the identity is registered with, a button 67 to add one or more fields (e.g. organization, ^photo) and a button 68 to delete an existing field.
[00101] Figure 14 shows a screen comprising the user digital identity list window 70 that includes a title bar 71, a toolbar 72 and, in the central part, a list 73 of digital identities stored on the mobile device. The toolbar 72 may include a button 74 to open the selected digital identity detail window, a button 75 to register or certify the selected digital identity, a button 76 to search among the stored digital identities, a button 77 to add a new digital identity and a button 78 to delete an existing one.
[00102] Figure 15 shows a screen comprising an identity field edit window 80 that includes a title bar 81, a menu bar 82 and, in the central part, the field 83 to edit with its value 84. The menu bar may contain an item to confirm the field value (i.e. OK) and an item to discard the changes made (i.e. Cancel).
[00103] Figure 16 shows a screen comprising a registration window 90 that, includes a title bar 91, a button 92 to confirm registration, a button 92 to abandon the registration and in the central part a summary of the service provider 93 and the user digital identity 94 involved in the process.
[00104] Figure 17 shows a screen comprising an authentication window 400 that includes a title bar 401, a button 402 to confirm authentication, a button 403 to abandon the authentication and in the central part a summary of the service provider 404 and the user digital identity 405 involved in the authentication process. [00105] Figure 18 shows a screen comprising an authentication result window 500 that includes a title bar 501, a button 502 to end the authentication process and in the central part the secure response 503 generated by the authentication module. [00106] The method according the invention reduces the registration and authentication processes to a simple gesture like waving the mobile device near the terminal (i.e. "touching" the terminal with the mobile device) or taking a snapshot of an image shown on the terminal screen. This spares the user to remember and type his credentials (e.g. username and password) and saves him from piracy and identity theft.
[00107] The proposed system also promotes identity portability allowing the user to reuse the same identity on several service providers and on several machines. In fact, identities are stored on the user's mobile device, which typically is strictly personal. Hence the user can carry always with him his own digital identities. This is a guarantee of reuse and privacy. [00108] In addition the method gives users the possibility to track identities usage and dependencies: this improves user's awareness and confidence. [00109] The near field interaction on which the whole system is based implies simply to wave the mobile device near the terminal or to take a snapshot of an image shown on the terminal; both of these operations are simple and intuitive. The proposed method does not require any configuration by the user to be used, since no configuration is needed to establish an NFC channel between the terminal and the mobile device or to take a snapshot. This saves the user from tricky configuration processes in which to set the value of incomprehensible technical parameters.
[00110] NFC technologies as such are themselves intuitive and easy to use: this automatically generates trust and confidence in the user, who always feels in control of what is happening. Moreover, the short range in which communication takes place reduces to a minimum privacy breach risks: therefore the system can be used with equal confidence at home or at a kiosk in a public place.
[00111] At last, the method has an intuitive graphical user interface that makes user' s interaction simple and fun.
[00112] From a functional point of view, the system is not only an authentication token; it also offers the capability of storing and managing user' s personal data and credentials for multiple online services. Unlike a simple authentication token, it gives the user the control over the set of information given to each service provider; this is interesting for users concerned with their privacy. It gives also the possibility to reuse personal data and credentials, saving time and annoyance in the registration process. [00113] The possibility to use even simple optical technologies allows the system to adapt to a multitude of different technological contexts. In the poorest ones, where no NFC reader is available, user can use his mobile device camera. In the most advanced ones, user can take full advantage of the system using NFC technologies (e.g. RFID) . In those cases the system gives its best fully automating some processes and making them transparent to the user.
[00114] ' System security may rely on the security of the mobile device smart card that preserves every secret and key of the application. The authentication process is based on a challenge/response protocol. The response is generated either from a secret shared between user and service provider during a simple registration or from the user's private key, the public key of which had been certified by service provider during a certified registration.
[00115] Certified registration has one important advantage over simple .registration: the user's digital identity involved in the registration becomes "certified", which means that a digital certificate guarantees its validity. This is particularly useful in a federated environment, that is an environment in which a set of service providers use and trust common certification/identity servers and in some cases share the registration/authentication process; in fact, in such an environment the user could use a certified identity to authenticate to a service provider whom he never registered with but who trusts the service provider that certified the presented identity [00116] Thus, certified registration allows the system to integrate and work equally well in a federated identity environment.
[00117] At last, the proposed registration and authentication methods are as secure as the safest authentication devices (i.e. smart card, RSA token) and can be used in any context in which these same devices can be used.
[00118] In accordance with the preferred embodiment, the proposed invention, including the registration and authentication methods above-mentioned, is implemented by software installed on a mobile device. This implies negligible distribution cost and no need for the user to adopt an additional device to authenticate himself with the service provider. [00119] Moreover, the proposed invention is more intuitive and easy to use than the present authentication devices. It does not require the adoption of cumbersome and difficult to manage proprietary technologies. It supports either symmetric or asymmetric keys; therefore it is quite easy to integrate it with existing infrastructures. Finally, the invention does not includes only an authentication method, but it includes also a compact identity management tool that enables the user to manage and control the use of his digital identities and automates some procedures related to the registration and authentication processes.
[00120] To satisfy contingent needs, a person skilled in the art could modify, adapt and replace some of the elements of the above mentioned embodiments of the invention with others functionally equivalent without departing from the following claims. Every characteristic described as belonging to one of the possible embodiments can be independently implemented by the others described embodiments . r

Claims

Claims
1. A method for registering a user with a service provider, comprising the steps of:
- creating and storing on a mobile device at least one digital identity;
- establishing a communication between the mobile device and the service provider;
- exchanging information between the mobile device and the service provider in order to generate some secret data associated to the chosen digital identity and to the service provider;
- storing said secret data on the mobile device and at the service provider.
2. A method for registering a user according to claim 1, comprising the steps of:
- delivering to the mobile device information related to the service provider;
- generating by means of the mobile device some secret data associated to a digital identity and to said information related to the service provider; sending to the service provider said secret data together with the username or other identifying information related to the chosen digital identity; and
- storing said generated secret data.
3. A method for registering a user according to claim 2, in which the information related to the service provider is delivered to the mobile device through a page of the service site.
4. A method for registering a user according to claim 3, in which the service provider delivers to the user an address or a reference to an address where to download the service provider information from, and wherein said address or reference to it is delivered in an encoded form through a page of the service site and it is read and decoded from the mobile device.
5. A method for registering a user according to claim 4, in which the address or the reference to the address is encoded as a bar code and in which the mobile device takes a snapshot of said bar code and decodes its content.
6. A method for registering a user according to claim 4, in which the address or the reference to the address is delivered as an NFC tag and is read by the mobile device through an NFC reader.
7. A method for registering a user according to claim 2, in which the service provider information are typed directly on the mobile device or received by the mobile device through an NFC channel.
8. A method for registering a user according to any claim from 2 to 7, in which the service provider information include the service provider public key.
9. A method for registering a user according to claim 8, in which the secret data generated by the mobile device are encrypted using the service provider public key.
10. A method for registering a user according to claim 1, comprising the steps of:
- generating through the mobile device a certificate signing request associated to a given digital identity; - sending said request to the service provider or to a third party certification authority;
- the service provider or the certification authority generating a related certificate;
- sending said certificate back to the mobile device; - storing the certificate on the mobile device associating it with the related digital identity.
11. A method for registering a user according to any of the preceding claims, in which the data exchange between the mobile device and the service provider takes place through a terminal through which the user access the service supplied by the service provider.
12. A method for authenticating a user with a service provider, whereas the user has registered with the said service provider through a registration method in accordance with one of the preceding claims, comprising the steps of :
- generating, by the service provider side, a challenge containing enough information for the user to generate a secure response; - encoding the challenge;
- delivering the encoded challenge to the user;
- acguiring the encoded challenge with the mobile device; extracting the service provider identifier and selecting automatically the digital identity registered with said service provider;
- generating a secure response to the challenge and sending said response to the service provider together with the username or other identifying information related to the selected digital identity.
13. A method for authenticating a user according to the claim 12, in which the challenge includes a service provider identifier, and in which the mobile device extracts from the acquired challenge said service provider identifier and automatically selects the user digital identity registered with said service provider.
14. A method for authenticating a user according to the claim 12 or claim 13, in which the challenge is encoded as a bar code or an NFC tag.
15. A method for authenticating a user according to the claim 14, in which the mobile device acquires the challenge taking a snapshot of the bar code or reading the NFC tag that contains it.
16. A method for authenticating a user according to the claim 14 or claim 15, in which the mobile device uses some secret data shared with the service provider or a user' s private key to generate the response to the challenge, said private key being associated to the public key certified by the service provider or by the third party certification authority.
17. A method for authenticating a user according to any of the claims from 12 to 16, in which the response is sent to the service provider through an NFC channel and/or an HTTP connection.
18. A method for authenticating a user according to any of the preceding claims, in which the data exchange between the mobile device and the service provider takes place through a terminal through which the user access the service supplied by the service provider.
19. A mobile device, comprising: - means to create and store at least one digital identity;
- means to establish a communication with the service provider;
- means to generate secret data associable both with a digital identity and a service provider; - means to store said secret data.
20. A mobile device according to the claim 19, further comprising means to decode encoded information delivered by the service provider.
21. A mobile device according to the claim 20, comprising a camera to take a picture of a bar code displayed on the screen of a terminal.
22. A mobile device according to the claim 19 or 20, comprising an NFC device to exchange information with a terminal through an NFC channel.
23. A mobile device according to any of the claims 19- 22, further comprising: means to generate a certificate signing request associated to a given digital identity; - means to send said request to the service provider;
- means to store a certificate received from the service provider associating it with the given digital identity.
24. A mobile device, comprising:
- a permanent memory in which to store at least one digital identity; means to acquire a challenge sent by the service provider;
- means to decode said challenge;
- means to automatically select the digital identity registered with said service provider; - means to generate a response to the challenge; and
- means to send said response to the service provider together with the username or other identifying information related to the selected digital identity.
25. A mobile device according to the claim 24, comprising means to connect to a service provider site or web service through an http connection.
26. A mobile device, comprising hardware and/or software means to: - control a camera and decode a bar code;
- connect to the service provider site or web service through an http connection; store and manage at least one digital identity associated to the user and at least one digital identity of a service provider associated to said user;
- modify or create a digital identity;
- generate user public key, secret data and other secure confidential material;
- export secret data; - manage an NFC communication with a terminal.
27. A mobile device, comprising hardware and/or software means to implement a registration method of a user with a service provider according to any of the claims 1-11 and/or an authentication method according to any of the claims 12-18.
28. Program product directly loadable into the internal memory of a mobile device and comprising software code portions suitable to implement a registration method of a user with a service provider according to any of the claims 1-11 and/or an authentication method according to any of the claims 12-18, when the program is executed on a mobile device.
PCT/IB2009/050459 2008-02-11 2009-02-05 Method and mobile device for registering and authenticating a user at a service provider Ceased WO2009101549A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
ITBS2008A000031 2008-02-11
ITBS20080031 ITBS20080031A1 (en) 2008-02-11 2008-02-11 METHOD AND MOBILE PHONE TO REGISTER AND AUTHENTICATE A USER AT A SERVICE PROVIDER

Publications (2)

Publication Number Publication Date
WO2009101549A2 true WO2009101549A2 (en) 2009-08-20
WO2009101549A3 WO2009101549A3 (en) 2009-10-08

Family

ID=40291477

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2009/050459 Ceased WO2009101549A2 (en) 2008-02-11 2009-02-05 Method and mobile device for registering and authenticating a user at a service provider

Country Status (2)

Country Link
IT (1) ITBS20080031A1 (en)
WO (1) WO2009101549A2 (en)

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2405622A1 (en) * 2010-07-08 2012-01-11 Scalado AB Device communication
EP2421217A1 (en) * 2010-08-16 2012-02-22 Research In Motion Limited Communication system providing wireless authentication for private data access and related methods
EP2434720A1 (en) * 2010-09-22 2012-03-28 IB-Tietotaulu Task management using a communication connection
WO2012129529A1 (en) * 2011-03-24 2012-09-27 Fedex Corporate Services, Inc. Systems and methods for electronically signing for a delivered package
US20120314090A1 (en) * 2011-06-10 2012-12-13 Schayne Jallow Location specific personalized enterprise services using video signature of an electronic display
WO2013043141A1 (en) * 2011-07-29 2013-03-28 Avea Iletisim Hizmetleri Anonim Sirketi (Teknoloji Merkezi) Authentication system and method via video call
WO2013051916A1 (en) * 2011-10-04 2013-04-11 Relative Cc, Sia Method for determination of user's identity
WO2013054102A1 (en) * 2011-10-10 2013-04-18 Intercede Limited Identity verification
EP2602735A1 (en) * 2011-12-09 2013-06-12 Research In Motion Limited Secure authentication
US8464960B2 (en) 2011-06-30 2013-06-18 Verisign, Inc. Trusted barcodes
EP2611096A1 (en) * 2011-12-28 2013-07-03 Gemalto SA Method for authenticating a user using a second mobile device
WO2014022778A1 (en) * 2012-08-03 2014-02-06 Vasco Data Security, Inc. User-convenient authentication method and apparatus using a mobile authentication application
US8701166B2 (en) 2011-12-09 2014-04-15 Blackberry Limited Secure authentication
US8869248B2 (en) 2010-08-16 2014-10-21 Blackberry Limited Communication system providing wireless authentication for private data access and related methods
WO2015043744A1 (en) * 2013-09-30 2015-04-02 Giesecke & Devrient Gmbh Method, devices, and system for authentication with respect to a server
WO2015050890A1 (en) * 2013-10-01 2015-04-09 Motorola Mobility Llc Systems and methods for credential management between electronic devices
WO2015042668A3 (en) * 2013-09-06 2015-05-21 Lin.K N.V. Mobile authentication method and system for authenticated access to internet supported services and applications
EP2834959A4 (en) * 2012-04-01 2015-11-11 Authentify Inc SECURE AUTHENTICATION IN A MULTIPARTY SYSTEM
US20160360403A1 (en) * 2015-01-05 2016-12-08 Ebid,Products & Solutions, S.L. Procedure for generating a digital identity of a user of a mobile device, digital identity of the user, and authentication procedure using said digital identity of the user
BE1024035B1 (en) * 2012-04-27 2017-10-31 Lin.K.N.V. MOBILE AUTHENTICATION SYSTEM
RU2701041C1 (en) * 2018-11-15 2019-09-24 Илья Владимирович Редкокашин Automated registration method
US10594487B2 (en) 2017-07-27 2020-03-17 International Business Machines Corporation Password management and verification with a blockchain
US11716207B1 (en) * 2016-09-08 2023-08-01 Cable Television Laboratories, Inc. System and method for a dynamic-PKI for a social certificate authority

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6725269B1 (en) * 1999-12-02 2004-04-20 International Business Machines Corporation System and method for maintaining multiple identities and reputations for internet interactions
WO2004095316A1 (en) * 2003-04-24 2004-11-04 Koninklijke Philips Electronics N.V. Initiating data communication by capturing image
WO2005116909A1 (en) * 2004-05-31 2005-12-08 Alexander Michael Duffy An apparatus, system and methods for supporting an authentication process
US7788729B2 (en) * 2005-03-04 2010-08-31 Microsoft Corporation Method and system for integrating multiple identities, identity mechanisms and identity providers in a single user paradigm
JP4660398B2 (en) * 2005-12-23 2011-03-30 株式会社東芝 USER AUTHENTICATION SYSTEM, PROVIDING SERVER DEVICE, PORTABLE COMMUNICATION DEVICE, USER PORTABLE COMMUNICATION DEVICE, AUTHORIZER PORTABLE COMMUNICATION DEVICE, AUTHENTICATION SERVER DEVICE AND PROGRAM FOR THESE DEVICES

Cited By (46)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2405622A1 (en) * 2010-07-08 2012-01-11 Scalado AB Device communication
US10020997B2 (en) 2010-07-08 2018-07-10 Nokia Technologies Oy Device communication
US10200257B2 (en) 2010-07-08 2019-02-05 Nokia Technologies Oy Indirect device communication
US8869248B2 (en) 2010-08-16 2014-10-21 Blackberry Limited Communication system providing wireless authentication for private data access and related methods
CN102377769B (en) * 2010-08-16 2015-10-14 黑莓有限公司 Communication system for the wireless authentication of private data access and correlation technique are provided
CN102377769A (en) * 2010-08-16 2012-03-14 捷讯研究有限公司 Communication system providing wireless authentication for private data access and related methods
EP2421217A1 (en) * 2010-08-16 2012-02-22 Research In Motion Limited Communication system providing wireless authentication for private data access and related methods
KR101304006B1 (en) * 2010-08-16 2013-09-04 리서치 인 모션 리미티드 Communication system providing wireless authentication for private data access and related methods
EP2434720A1 (en) * 2010-09-22 2012-03-28 IB-Tietotaulu Task management using a communication connection
WO2012129529A1 (en) * 2011-03-24 2012-09-27 Fedex Corporate Services, Inc. Systems and methods for electronically signing for a delivered package
US8898083B2 (en) 2011-03-24 2014-11-25 Fedex Corporate Services, Inc. Systems and methods for electronically signing for a delivered package
US20120314090A1 (en) * 2011-06-10 2012-12-13 Schayne Jallow Location specific personalized enterprise services using video signature of an electronic display
US9094454B2 (en) * 2011-06-10 2015-07-28 Zone24X7 Inc. Location specific personalized enterprise services using video signature of an electronic display
US8464960B2 (en) 2011-06-30 2013-06-18 Verisign, Inc. Trusted barcodes
US9213930B2 (en) 2011-06-30 2015-12-15 Verisign, Inc. Secure barcodes
WO2013043141A1 (en) * 2011-07-29 2013-03-28 Avea Iletisim Hizmetleri Anonim Sirketi (Teknoloji Merkezi) Authentication system and method via video call
US20140359299A1 (en) * 2011-10-04 2014-12-04 Relative Cc, Sia Method for Determination of User's Identity
WO2013051916A1 (en) * 2011-10-04 2013-04-11 Relative Cc, Sia Method for determination of user's identity
EP2764655A4 (en) * 2011-10-04 2015-08-12 Relative Cc Sia Method for determination of user's identity
WO2013054102A1 (en) * 2011-10-10 2013-04-18 Intercede Limited Identity verification
US8701166B2 (en) 2011-12-09 2014-04-15 Blackberry Limited Secure authentication
EP2602735A1 (en) * 2011-12-09 2013-06-12 Research In Motion Limited Secure authentication
EP2611096A1 (en) * 2011-12-28 2013-07-03 Gemalto SA Method for authenticating a user using a second mobile device
US9641520B2 (en) 2012-04-01 2017-05-02 Early Warning Services, Llc Secure authentication in a multi-party system
US9398012B2 (en) 2012-04-01 2016-07-19 Authentify, Inc. Secure authentication in a multi-party system
EP2834959A4 (en) * 2012-04-01 2015-11-11 Authentify Inc SECURE AUTHENTICATION IN A MULTIPARTY SYSTEM
US9742763B2 (en) 2012-04-01 2017-08-22 Early Warning Services, Llc Secure authentication in a multi-party system
EP2834729A4 (en) * 2012-04-01 2016-02-17 Authentify Inc SECURE AUTHENTICATION IN A MULTI-PARTY SYSTEM
BE1024035B1 (en) * 2012-04-27 2017-10-31 Lin.K.N.V. MOBILE AUTHENTICATION SYSTEM
US20140040628A1 (en) * 2012-08-03 2014-02-06 Vasco Data Security, Inc. User-convenient authentication method and apparatus using a mobile authentication application
CN104662864B (en) * 2012-08-03 2018-03-09 威斯科数据安全国际有限公司 The convenient authentication method of user and device that mobile authentication is applied are used
WO2014022778A1 (en) * 2012-08-03 2014-02-06 Vasco Data Security, Inc. User-convenient authentication method and apparatus using a mobile authentication application
CN104662864A (en) * 2012-08-03 2015-05-27 威斯科数据安全国际有限公司 User-convenient authentication method and apparatus using a mobile authentication application
US9710634B2 (en) 2012-08-03 2017-07-18 Vasco Data Security, Inc. User-convenient authentication method and apparatus using a mobile authentication application
WO2015042668A3 (en) * 2013-09-06 2015-05-21 Lin.K N.V. Mobile authentication method and system for authenticated access to internet supported services and applications
US20160219039A1 (en) * 2013-09-06 2016-07-28 Mario Houthooft Mobile Authentication Method and System for Providing Authenticated Access to Internet-Sukpported Services and Applications
WO2015043744A1 (en) * 2013-09-30 2015-04-02 Giesecke & Devrient Gmbh Method, devices, and system for authentication with respect to a server
US9729547B2 (en) 2013-10-01 2017-08-08 Google Technology Holdings LLC Systems and methods for credential management between electronic devices
WO2015050890A1 (en) * 2013-10-01 2015-04-09 Motorola Mobility Llc Systems and methods for credential management between electronic devices
US9363251B2 (en) 2013-10-01 2016-06-07 Google Technology Holdings LLC Systems and methods for credential management between electronic devices
US20160360403A1 (en) * 2015-01-05 2016-12-08 Ebid,Products & Solutions, S.L. Procedure for generating a digital identity of a user of a mobile device, digital identity of the user, and authentication procedure using said digital identity of the user
US11716207B1 (en) * 2016-09-08 2023-08-01 Cable Television Laboratories, Inc. System and method for a dynamic-PKI for a social certificate authority
US10594487B2 (en) 2017-07-27 2020-03-17 International Business Machines Corporation Password management and verification with a blockchain
US10666442B2 (en) 2017-07-27 2020-05-26 International Business Machines Corporation Password management and verification with a blockchain
RU2701041C1 (en) * 2018-11-15 2019-09-24 Илья Владимирович Редкокашин Automated registration method
WO2020101529A1 (en) * 2018-11-15 2020-05-22 Илья Владимирович РЕДКОКАШИН Method of automated registration

Also Published As

Publication number Publication date
WO2009101549A3 (en) 2009-10-08
ITBS20080031A1 (en) 2009-08-12

Similar Documents

Publication Publication Date Title
WO2009101549A2 (en) Method and mobile device for registering and authenticating a user at a service provider
US10142114B2 (en) ID system and program, and ID method
US9038196B2 (en) Method for authenticating a user requesting a transaction with a service provider
US9741033B2 (en) System and method for point of sale payment data credentials management using out-of-band authentication
US9047455B2 (en) Method for reading attributes from an ID token
US9338163B2 (en) Method using a single authentication device to authenticate a user to a service provider among a plurality of service providers and device for performing such a method
US8087068B1 (en) Verifying access to a network account over multiple user communication portals based on security criteria
US20180295121A1 (en) Secure element authentication
US20120066501A1 (en) Multi-factor and multi-channel id authentication and transaction control
US20080059797A1 (en) Data Communication System, Agent System Server, Computer Program, and Data Communication Method
TW201741922A (en) Biometric-based safety authentication method and device
WO2005107137A2 (en) Method and apparatus for authenticating users using two or more factors
KR20030074483A (en) Service providing system in which services are provided from service provider apparatus to service user apparatus via network
US20240129139A1 (en) User authentication using two independent security elements
WO2010050192A1 (en) Password reissuing method
EP1574978A1 (en) Personal information control system, mediation system, and terminal unit
JP2007527059A (en) User and method and apparatus for authentication of communications received from a computer system
US20120131347A1 (en) Securing of electronic transactions
WO2007108397A1 (en) Communication system, server, client terminal device and communicating method
KR20070076575A (en) How to handle customer authentication
KR20070076576A (en) Payment Approval Process
KR20090006815A (en) How to handle customer authentication
KR20070077481A (en) Customer Authentication Relay Server
KR20060112167A (en) Customer authentication relay method and system, server and recording medium therefor
JP2006259958A (en) Network accessing method and information terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09710529

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09710529

Country of ref document: EP

Kind code of ref document: A2