[go: up one dir, main page]

WO2015152905A1 - Using challenge questions for user authentication - Google Patents

Using challenge questions for user authentication Download PDF

Info

Publication number
WO2015152905A1
WO2015152905A1 PCT/US2014/032596 US2014032596W WO2015152905A1 WO 2015152905 A1 WO2015152905 A1 WO 2015152905A1 US 2014032596 W US2014032596 W US 2014032596W WO 2015152905 A1 WO2015152905 A1 WO 2015152905A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
data
request
challenge questions
authentication system
Prior art date
Application number
PCT/US2014/032596
Other languages
French (fr)
Inventor
Leon Barnat BROWN
Original Assignee
Hewlett-Packard Development Company, L.P.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett-Packard Development Company, L.P. filed Critical Hewlett-Packard Development Company, L.P.
Priority to PCT/US2014/032596 priority Critical patent/WO2015152905A1/en
Publication of WO2015152905A1 publication Critical patent/WO2015152905A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions

Definitions

  • Authentication techniques aim to reduce or prevent identity theft by proving the identity of a user.
  • Some examples of authentication techniques include personal identification numbers (PINs) or passwords, public key infrastructure (PKI), biometric indicators (e.g., fingerprint, iris scan, voice recognition, and so on), and electronic tags (e.g., radio frequency identifier (RFID)) comprising a unique tag identifier.
  • PINs personal identification numbers
  • PKI public key infrastructure
  • biometric indicators e.g., fingerprint, iris scan, voice recognition, and so on
  • electronic tags e.g., radio frequency identifier (RFID) comprising a unique tag identifier.
  • RFID radio frequency identifier
  • FIG. 1 illustrates an example of an authentication system for
  • FIG. 2 illustrates another example of an authentication system for authenticating a user based on challenge questions generated from user data
  • FIG. 3 is an example of a flowchart illustrating a method for
  • FIG. 4 is another example of a flowchart illustrating a method for authenticating a user based on challenge questions generated from user data
  • FIG. 5 illustrates an example of an authentication system including a computer-readable medium having instructions to authenticate a user based on challenge questions generated trom user data.
  • Authentication techniques that involve username and password combinations may be susceptible to attacks by simple guessing or by using brute force algorithms.
  • authentication techniques that use card keys or similar devices can easily be stolen or misplaced.
  • some of these devices are expensive, require battery power, and may be subject to drive-by snooping.
  • some users simply do not like the use of biometrie indicators for authentication.
  • the described examples address the above concerns by providing a solution for authenticating a performmg a transaction by using challenge questions based on user data that may significantly reduce the chance of an attacker or impostor being able to correctly answer the chailenge questions.
  • the solution leverages an individual's personal data, in unique combinations, to provide a significantly more secure validation that the individual answering the question is truly the person associated with, the account or transaction.
  • the described solution generates chailenge questions based on user data (e.g., personal data) and recent activities on the user's device (e.g., computing device, payment device) for authentication purposes. The combination of data and recent user activities may significantly lower the possibility of scamming, and provide a secure authentication solution at reduced cost.
  • an authentication system includes a storage device to store user data and a transaction processing module to receive a transaction request associated with, the user.
  • the authe t cation system also includes an authentication module to access the user data to generate challenge questions from the user data to authenticate the user, in response to the request.
  • a method for authenticating a user includes receiving, by an authentication system, a request to process a transaction, and. accessing user data stored at a storage device, in response to the request. The method includes generating challenge questions for authenticating the user based on the user data.
  • a non-transitory computer-readable medium includes instructions that, when executed by a processor of an authentication system, causes the system to receive a request to process a transaction, and. access user data stored at a storage device, in response to the request.
  • the instructions are also executable to generate challenge questions for authenticating the user based, on the user data, and. execute the transaction request when the user provides correct answers to the challenge questions.
  • FIG. 1 is an example of an authentication system for authenticating a user based on challenge questions generated from user data.
  • Authentication system 102 can be any computing device or apparatus for authenticating a user.
  • authentication system 102 can be a terminal such as a payment terminal (e.g., a point of sale terminal, a merchant terminal, an access terminal, etc).
  • Authentication system 102 includes storage device 104, transaction processing module 106, and authentication module 108.
  • Storage device 104 represents generally any device or combination of devices for storing user data 1 14.
  • Storage device 104 can be, for example, a database that is online or offline, a storage medium of a computing device, or a server (e.g., cloud based, server).
  • FIG. 1 illustrates storage device 104 as being internal to the authentication system 102, storage device 104 can be external to and accessible to the authentication system 102 (e.g., via a network). Because users leave behind trails of digital footprint as the go about their everyday life, user data 1 14 can be captured by a variety of information and communication technologies accessed and utilized by users.
  • user data 1 14 includes personal data such as demographic data, financial data, government records, health and medical data, relationships data, and so on.
  • user data 1 14 includes recent activities by the user, from computing and payment devices, such as content consumption and viewing data, web browsing, data from user communications (IM/SMS, social networking, online posts, etc.), retail and content websites, travel and location data, brand affinity, purchasing patterns and data, and so on.
  • user data 1 14 can include data volunteered by the user such as data created and shared by the user (e.g., social network profiles), observed data such as data captured by recording and tracking actions of the user (e.g., location data from user's smartphone), and inferred data such as data abou t the user based on analysis of volunteered and observed information (e.g., credit card scores).
  • personal data can include individual identity data, behavioral data, derived data, and self-identified data.
  • User data 1 14 can be grouped and categorized, for example, by type,
  • Transaction processing module 106 can include a series of instructions encoded on a machine-readable storage medium and executable by a processor.
  • transaction processing module 106 may include one or more hardware devices including electronic circuitry for implementing the functionality described below.
  • transaction processing module 106 can be implemented as a combination of software and hardware.
  • Transaction processing module 106 can receive a transaction request 1 18 associated with the user.
  • transaction processing module 106 can receive a request to process a user payment tendered via a credit card, debit card, automated teller machine (ATM) card, bank card, gift card, R.FID device, mobile device, or any- other payment device or computing device associated with the user.
  • the user may tender the payment device or mechanism at a terminal (e.g., a merchant terminal or point-of-sale).
  • the transaction request can be an access grant or a validation request.
  • an access grant the user may request access to a computing device, system, or network, or the user may request access to a building, room, or even an automobile.
  • Authentication module 108 can include a series of instructions encoded on a machine-readable storage medium and executable by a processor.
  • authentication module 108 may include one or more hardware devices including electronic circuitry for implementing the functionality described, below.
  • authentication module 108 can be implemented as a combination of software and hardware.
  • Authentication module 108 can access the user data 1 14 stored at the storage device 104 (i.e.. internal to or external to the authentication system 102 ⁇ to generate challenge questions 1 18 for authenticating the user, in response to the transaction request.
  • authentication module 108 may generate three, four, or five challenge questions 118 based on at least one of the user's personal data and the user's recent activities. It should be noted however that any number of challenge questions 1 18 may be generated.
  • the challenge questions 118 can be based, on any combination of the user data 114, Moreover, the challenge questions 1 18 can be dynamically generated such that a different set of challenge questions 118 can be used at each authentication attempt/process.
  • challenge questions 1 18 generated may include combinations and variations of the user data 114 extracted from various sources.
  • Example challenge questions 1 18 may include: “What day of the week did you purchase gas?" 'Tick your browsing history from two days ago” (display shows a three browsing histories), “Where was this photo taken?" (using memor ⁇ ' plus GPS data extracted from the photo to verify correct answer), “which of these cat photos is the last you took?" "What city were you when you wrote this (IM/SMS/post/comment)?” (using social networking information and GPS information).
  • Other challenge questions 1 18 can include, for example, questions related to the user's recent shopping activities such as name of store and goods purchased; questions related to the user's airline data such as position where the user sat during a recent trip (aisle, middle, or window), what movie/food/duty-free purchases the user made; questions related to GPS data extracted from the user's devices such as what routes the user took to a particular place, mode of transportation, and average speed; questions related to the user's content consumption activities such as what eBook the user read at a certain time, approximate page number: questions related to the user's web browsing history such as what articles the user read recently, travel or other event planning researched online, validation of destinations researched online, temperature of such locations, and so on.
  • a multitude of challenge questions 8 can be dynamically generated to authenticate the user by combinations and variations of the user data 1 14. Further, the challenge questions 114 may exclude data that is public to increase the robustness of the authentication process.
  • the user can opt in and out of certain types or categories of data from which challenge questions may be generated.
  • the user may selected one or more types or classes of data to be used for
  • the user may select types of user data 1 14 from which challenge questions should be generated. For example, the user can designate recent purchasing activities, web browsing history, content consumption activity, brand affinity, etc. as data from which the challenge questions 1 18 can be generated. As aiiother example, the user can indicate that challenge questions 118 may not be selected from government records, medical records, and insurance records.
  • transaction processing module 106 grants the transaction request. For example, transaction processing module 106 can process the payment, grant access to the user, or validate the user, depending on the nature of the transaction request. If however, the user does not correctly answer the challenge questions 1 18, processing of the transaction request is denied.
  • FIG. 2 is an example of an authentication system for authentica ting a user based on challenge questions generated from user data.
  • storage device 104 can be external to and accessible by the authentication system 102 (e.g., via a network such as the Internet), or storage device 104 can be internal to the system 102.
  • Storage device 104 includes user data 1 14 from which challenge questions 1 18 may be generated.
  • Challenge questions 1 18 can include the user's personal data and the user's recent activities such as, for example, purchasing habits, listening habits, location information, family members, vacation spots, viewing time and.
  • storage device 104 including user data 114 may be located on the user's computing device 210 (e.g., portable computing device, smartpbone, tablet, etc.) or embedded in a payment device 220 (e.g., credit card, etc.). To illustrate, if the user is making a purchase using device 210, the system 102 may generate the challenge questions 118 based on a combination and variations of user data 104 captured and/or stored on the user's device 210.
  • the system 102 may generate the challenge questions 118 based on a combination of user data 104 embedded, stored on, or captured by the credit card 220 (e.g., recent purchases and location of such purchases by the user via the credit card 220).
  • FIG. 3 is an example of a flowchart illustrating a method for
  • Method 300 may be implemented, for example, in the form of executable instructions stored on a non-transitory computer-readable storage medium and/or in the form of electronic circuitry.
  • Method 300 includes receiving, by an authentication system, a request to process a transaction, at 310.
  • transaction processing module 106 can receive a transaction request associated with a user.
  • the transaction request can include one of a payment processing requests from an account associated with the user, an access request into a building, system, or network, and a user validation request.
  • Method 300 includes accessing user data stored at a storage device, in response to the request, at 320.
  • authentication module 108 can access user data 1 14 stored at a storage device 104.
  • Storage device 104 can be a storage device of the authentication system 102 (i.e., internal to the system 102) or can be external and. accessible to the system 102, for example, via a network.
  • Method 300 includes generating challenge questions for authenticating the user based on the user data, at 330.
  • authentication module 108 can generate challenge questions 1 18 based on the user data 14.
  • the challenge questions 118 can be generated based on recent activities by the user as recorded and/or tracked trom the user's payment device or computing device, or based on the user's personal data/i formation.
  • the challenge questions 1 18 can be dynamic such that a different set of challenge questions can be used at each authentication attempt.
  • the method 300 of FIG. 3 includes additional steps in addition to and/or in lieu of those depicted, in FIG, 3.
  • FIG. 4 is another example of a flowchart illustrating a method for authenticating a user based on challenge questions generated from user data.
  • Method 400 may be implemented, for example, in the form of executable instructions stored on a non-transitory computer-readable storage medium and/or in the form of electronic circuitry.
  • Method 400 includes receiving, from a user, a selection of at least one type of user data from a plurality of user data for authenticating the user, and storing the selection, at 410,
  • a user can select what type, set, or group of user data from the plurality of user data 1 14 can be used for authentication processes.
  • a user may desire to be asked challenge questions based on web browsing history, recent purchases, content consumption, but not based on government records, medical records, or financial records.
  • the user's customized selection can be stored at the storage device 104.
  • Method 400 includes receiving a request to process a transaction, at 420.
  • transaction processing module 106 can receive a transaction request such as a payment request, an access request, or a validation request.
  • Method 400 includes accessing user data correspondmg to the user selection, at 430.
  • authentication module 108 can access the subset of user data 1 14 corresponding to the user's customized authentication data, stored at the storage device 104.
  • Method 400 includes generating challenge questions for authenticating the user based on the user selection, at 440, and receiving, from the user, answers to the challenge questions.
  • authentication module 108 can generate challenge questions 118 from the subset of user data for authenticating the user, and receiving the user's response to the challenge questions 118.
  • the system 102 can display the challenge questions 118 at a display device or screen in text and/or images, and receive user input in response to the challenge questions 1 18 via a graphical user interface, display device, or keypad.
  • Method 400 includes determining whether the user provides the correct aiiswers to the challenge questions, at 460.
  • method 400 includes executing the transaction request, at 470. However, if the user provides incorrect answers to the challenge questions, method 400 includes denying the transaction request, at 480. For example, authentication module 108 compares the user's aiiswers to the challenge questions 1 18 to the actual answers to the challenge questions 1 18 to determine if the user's answers are correct or incorrect. If the user's answers are correct (i.e., correct answer to every challenge question 1 18 presented), transaction processing module executes the transaction. However, if the user's answers are incorrect, the user's request is denied. In some examples, the method 300 of FIG. 3 includes additional steps in addition to and/or in lieu of those depicted in FIG. 3.
  • FIG. 5 illustrates an example of an authentication system including a computer-readable medium having instructions to authenticate a user based on challenge questions generated from user data.
  • Authentication system 500 can include a non-transitor computer-readable medium 520.
  • the non-transitory computer- readable medium 520 can include instructions 521 -524 that if executed by a processor 510 can cause the authentication system 500 to perform the functionality described below.
  • request receiving instructions 521 are executable to receive a request to process a transaction.
  • Data accessing instructions 522 are executable to access user data stored at a storage device, in response to the request.
  • Challenge question generating instructions 523 are executable to generate challenge questions for authenticating the user based on the user data.
  • Request processing instructions 524 are executable to execute the request when t e user provides correct answers to the challenge questions.
  • the techniques described above may be embodied in a computer-readable medium for configuring a computing system to execute the method.
  • the computer- readable media may include, for example and without limitation, any number of the following non-transitive mediums: magnetic storage media including disk and tape storage media; optical storage media such as compact disk media (e.g., CD-ROM, CD-R, etc.) and digital video disk storage media; holographic memory; nonvolatile memory storage media including semiconductor-based, memory units such as FLASH memory. EEPROM, EPROM, ROM; ferromagnetic digital memories; volatile storage media including registers, buffers or caches, main memory, RAM, etc.; and the Internet, just to name a few.
  • magnetic storage media including disk and tape storage media
  • optical storage media such as compact disk media (e.g., CD-ROM, CD-R, etc.) and digital video disk storage media
  • holographic memory nonvolatile memory storage media including semiconductor-based, memory units such as FLASH memory.
  • Computing systems may be found in many forms including but not limited to mainframes, minicomputers, servers, workstations, personal computers, notepads, personal digital assistants, tablets, smartphones, various wireless devices and embedded systems, just to name a few.

Landscapes

  • Business, Economics & Management (AREA)
  • Engineering & Computer Science (AREA)
  • Accounting & Taxation (AREA)
  • Computer Security & Cryptography (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

An authentication system in accordance with an example includes a storage device to store user data. The authentication system includes a transaction processing module to receive a transaction request associated with the user, and an authentication module to access the user data to generate challenge questions from the user data to authenticate the user, in response to the request.

Description

USING CHALLENGE QUESTIONS FOR USER AUTHENTICATION
BACKGROUND
[0001 ] Recently, a lot of attention and research has been devoted to the prevention of identity theft and fraud, due to threats posed to all aspects of commercial and consumer activities. Authentication techniques aim to reduce or prevent identity theft by proving the identity of a user. Some examples of authentication techniques include personal identification numbers (PINs) or passwords, public key infrastructure (PKI), biometric indicators (e.g., fingerprint, iris scan, voice recognition, and so on), and electronic tags (e.g., radio frequency identifier (RFID)) comprising a unique tag identifier.
BRIEF DESCRIPTION OF THE DRAWINGS
[0002] Some examples of the present application are described with respect to the following figures:
[0003] FIG. 1 illustrates an example of an authentication system for
authenticating a user based on challenge questions generated from user data;
[0004] FIG. 2 illustrates another example of an authentication system for authenticating a user based on challenge questions generated from user data;
[0005] FIG. 3 is an example of a flowchart illustrating a method for
authenticating a user based on challenge questions generated from user data;
[0006] FIG. 4 is another example of a flowchart illustrating a method for authenticating a user based on challenge questions generated from user data; and
[0007] FIG. 5 illustrates an example of an authentication system including a computer-readable medium having instructions to authenticate a user based on challenge questions generated trom user data. n
Figure imgf000003_0001
[0008 In many instances, it may be necessary to validate or authenticate a user performing a transaction such a credit card transaction or access control, to prove that the user is the individual authorized to perform the transaction. Many authentication techniques are currently employed today. For example, some authentication techniques require someone (e.g., a store clerk) to validate the user by visual inspection and/or comparison of a payment device (e.g., credit card) with a secondary form of identification. However, in a scenario where a store clerk or cashier has to visually inspect the customer, there may be a time constraint imposed (e.g., other customers may be in line), occurrence of errors due to look-alikes, training costs, and general inefficiency. Authentication techniques that involve username and password combinations may be susceptible to attacks by simple guessing or by using brute force algorithms. As another example, authentication techniques that use card keys or similar devices can easily be stolen or misplaced. Moreover, some of these devices are expensive, require battery power, and may be subject to drive-by snooping. In addition to being relatively expensive due to set-up cost and occasional errors, some users simply do not like the use of biometrie indicators for authentication.
[0009] The described examples address the above concerns by providing a solution for authenticating a performmg a transaction by using challenge questions based on user data that may significantly reduce the chance of an attacker or impostor being able to correctly answer the chailenge questions. The solution leverages an individual's personal data, in unique combinations, to provide a significantly more secure validation that the individual answering the question is truly the person associated with, the account or transaction. The described solution generates chailenge questions based on user data (e.g., personal data) and recent activities on the user's device (e.g., computing device, payment device) for authentication purposes. The combination of data and recent user activities may significantly lower the possibility of scamming, and provide a secure authentication solution at reduced cost. The user data may include personal data such as health records, financial records, insurance information, etc., and the recent activities may include activities such as purchasing activities, browsing activities, travel activities, etc. |0010] In one example, an authentication system includes a storage device to store user data and a transaction processing module to receive a transaction request associated with, the user. The authe t cation system also includes an authentication module to access the user data to generate challenge questions from the user data to authenticate the user, in response to the request.
[0011 ] In another example, a method for authenticating a user includes receiving, by an authentication system, a request to process a transaction, and. accessing user data stored at a storage device, in response to the request. The method includes generating challenge questions for authenticating the user based on the user data.
[0012] In another example, a non-transitory computer-readable medium includes instructions that, when executed by a processor of an authentication system, causes the system to receive a request to process a transaction, and. access user data stored at a storage device, in response to the request. The instructions are also executable to generate challenge questions for authenticating the user based, on the user data, and. execute the transaction request when the user provides correct answers to the challenge questions.
[0013] Referring no to the figures, FIG. 1 is an example of an authentication system for authenticating a user based on challenge questions generated from user data. Authentication system 102 can be any computing device or apparatus for authenticating a user. In certain examples, authentication system 102 can be a terminal such as a payment terminal (e.g., a point of sale terminal, a merchant terminal, an access terminal, etc). Authentication system 102 includes storage device 104, transaction processing module 106, and authentication module 108.
[0014] Storage device 104 represents generally any device or combination of devices for storing user data 1 14. Storage device 104 can be, for example, a database that is online or offline, a storage medium of a computing device, or a server (e.g., cloud based, server). Although FIG. 1 illustrates storage device 104 as being internal to the authentication system 102, storage device 104 can be external to and accessible to the authentication system 102 (e.g., via a network). Because users leave behind trails of digital footprint as the go about their everyday life, user data 1 14 can be captured by a variety of information and communication technologies accessed and utilized by users. [0015] For example, user data 1 14 includes personal data such as demographic data, financial data, government records, health and medical data, relationships data, and so on. As another example, user data 1 14 includes recent activities by the user, from computing and payment devices, such as content consumption and viewing data, web browsing, data from user communications (IM/SMS, social networking, online posts, etc.), retail and content websites, travel and location data, brand affinity, purchasing patterns and data, and so on. Accordingly, user data 1 14 can include data volunteered by the user such as data created and shared by the user (e.g., social network profiles), observed data such as data captured by recording and tracking actions of the user (e.g., location data from user's smartphone), and inferred data such as data abou t the user based on analysis of volunteered and observed information (e.g., credit card scores). Moreover, personal data can include individual identity data, behavioral data, derived data, and self-identified data. User data 1 14 can be grouped and categorized, for example, by type,
[0016] Transaction processing module 106 can include a series of instructions encoded on a machine-readable storage medium and executable by a processor. In addition, or as an alternative, transaction processing module 106 may include one or more hardware devices including electronic circuitry for implementing the functionality described below. Thus, transaction processing module 106 can be implemented as a combination of software and hardware.
[0017] Transaction processing module 106 can receive a transaction request 1 18 associated with the user. For example, transaction processing module 106 can receive a request to process a user payment tendered via a credit card, debit card, automated teller machine (ATM) card, bank card, gift card, R.FID device, mobile device, or any- other payment device or computing device associated with the user. In such an example, the user may tender the payment device or mechanism at a terminal (e.g., a merchant terminal or point-of-sale). In some other examples, the transaction request can be an access grant or a validation request. In the example of an access grant, the user may request access to a computing device, system, or network, or the user may request access to a building, room, or even an automobile. In still other examples, the user may request to be validated for some purpose. Accordingly, the transaction request by the user triggers an authentication process. fOOlS] Authentication module 108 can include a series of instructions encoded on a machine-readable storage medium and executable by a processor. In addition, or as an alternative, authentication module 108 may include one or more hardware devices including electronic circuitry for implementing the functionality described, below. Thus, authentication module 108 can be implemented as a combination of software and hardware.
[0019] Authentication module 108 can access the user data 1 14 stored at the storage device 104 (i.e.. internal to or external to the authentication system 102} to generate challenge questions 1 18 for authenticating the user, in response to the transaction request. For example, authentication module 108 may generate three, four, or five challenge questions 118 based on at least one of the user's personal data and the user's recent activities. It should be noted however that any number of challenge questions 1 18 may be generated. Further, the challenge questions 118 can be based, on any combination of the user data 114, Moreover, the challenge questions 1 18 can be dynamically generated such that a different set of challenge questions 118 can be used at each authentication attempt/process.
[0020] To illustrate, during an authentication process, challenge questions 1 18 generated may include combinations and variations of the user data 114 extracted from various sources. Example challenge questions 1 18 may include: "What day of the week did you purchase gas?" 'Tick your browsing history from two days ago" (display shows a three browsing histories), "Where was this photo taken?" (using memor}' plus GPS data extracted from the photo to verify correct answer), "which of these cat photos is the last you took?" "What city were you when you wrote this (IM/SMS/post/comment)?" (using social networking information and GPS information).
[0021] Other challenge questions 1 18 can include, for example, questions related to the user's recent shopping activities such as name of store and goods purchased; questions related to the user's airline data such as position where the user sat during a recent trip (aisle, middle, or window), what movie/food/duty-free purchases the user made; questions related to GPS data extracted from the user's devices such as what routes the user took to a particular place, mode of transportation, and average speed; questions related to the user's content consumption activities such as what eBook the user read at a certain time, approximate page number: questions related to the user's web browsing history such as what articles the user read recently, travel or other event planning researched online, validation of destinations researched online, temperature of such locations, and so on. As illustrated, a multitude of challenge questions 8 can be dynamically generated to authenticate the user by combinations and variations of the user data 1 14. Further, the challenge questions 114 may exclude data that is public to increase the robustness of the authentication process.
[0022] In some examples, the user can opt in and out of certain types or categories of data from which challenge questions may be generated. To illustrate, the user may selected one or more types or classes of data to be used for
authentication. Thus, the user may select types of user data 1 14 from which challenge questions should be generated. For example, the user can designate recent purchasing activities, web browsing history, content consumption activity, brand affinity, etc. as data from which the challenge questions 1 18 can be generated. As aiiother example, the user can indicate that challenge questions 118 may not be selected from government records, medical records, and insurance records.
[0023] If the user correctly answers all the challenge questions 118 generated by the authentication module 108, transaction processing module 106 grants the transaction request. For example, transaction processing module 106 can process the payment, grant access to the user, or validate the user, depending on the nature of the transaction request. If however, the user does not correctly answer the challenge questions 1 18, processing of the transaction request is denied.
[0024] FIG. 2 is an example of an authentication system for authentica ting a user based on challenge questions generated from user data. In the example of FIG. 2, storage device 104 can be external to and accessible by the authentication system 102 (e.g., via a network such as the Internet), or storage device 104 can be internal to the system 102. Storage device 104 includes user data 1 14 from which challenge questions 1 18 may be generated. Challenge questions 1 18 can include the user's personal data and the user's recent activities such as, for example, purchasing habits, listening habits, location information, family members, vacation spots, viewing time and. location, viewing patterns and preferences, spending patterns, brand affinity, shopping pattern, music preferences, types of mo vies/genres, volunteered data, identity data, medical record, financial record, government record, browsing activities, and so on. [0025] Further, in FIG. 2, storage device 104 including user data 114 may be located on the user's computing device 210 (e.g., portable computing device, smartpbone, tablet, etc.) or embedded in a payment device 220 (e.g., credit card, etc.). To illustrate, if the user is making a purchase using device 210, the system 102 may generate the challenge questions 118 based on a combination and variations of user data 104 captured and/or stored on the user's device 210. To illustrate further, if the user is making a purchase using a credit card. 220, the system 102 may generate the challenge questions 118 based on a combination of user data 104 embedded, stored on, or captured by the credit card 220 (e.g., recent purchases and location of such purchases by the user via the credit card 220).
[0026] FIG. 3 is an example of a flowchart illustrating a method for
authenticating a user based on challenge questions generated from user data. Method 300 may be implemented, for example, in the form of executable instructions stored on a non-transitory computer-readable storage medium and/or in the form of electronic circuitry.
[0027] Method 300 includes receiving, by an authentication system, a request to process a transaction, at 310. For example, transaction processing module 106 can receive a transaction request associated with a user. The transaction request can include one of a payment processing requests from an account associated with the user, an access request into a building, system, or network, and a user validation request.
[0028] Method 300 includes accessing user data stored at a storage device, in response to the request, at 320. For example, authentication module 108 can access user data 1 14 stored at a storage device 104. Storage device 104 can be a storage device of the authentication system 102 (i.e., internal to the system 102) or can be external and. accessible to the system 102, for example, via a network.
[0029] Method 300 includes generating challenge questions for authenticating the user based on the user data, at 330. For example, authentication module 108 can generate challenge questions 1 18 based on the user data 14, The challenge questions 118 can be generated based on recent activities by the user as recorded and/or tracked trom the user's payment device or computing device, or based on the user's personal data/i formation. Further, the challenge questions 1 18 can be dynamic such that a different set of challenge questions can be used at each authentication attempt. In some examples, the method 300 of FIG. 3 includes additional steps in addition to and/or in lieu of those depicted, in FIG, 3.
[0030] FIG. 4 is another example of a flowchart illustrating a method for authenticating a user based on challenge questions generated from user data. Method 400 may be implemented, for example, in the form of executable instructions stored on a non-transitory computer-readable storage medium and/or in the form of electronic circuitry.
|0031] Method 400 includes receiving, from a user, a selection of at least one type of user data from a plurality of user data for authenticating the user, and storing the selection, at 410, For example, a user can select what type, set, or group of user data from the plurality of user data 1 14 can be used for authentication processes. For example, a user may desire to be asked challenge questions based on web browsing history, recent purchases, content consumption, but not based on government records, medical records, or financial records. The user's customized selection can be stored at the storage device 104.
[0032] Method 400 includes receiving a request to process a transaction, at 420. For example, transaction processing module 106 can receive a transaction request such as a payment request, an access request, or a validation request.
[0033] Method 400 includes accessing user data correspondmg to the user selection, at 430. For example, authentication module 108 can access the subset of user data 1 14 corresponding to the user's customized authentication data, stored at the storage device 104.
[0034] Method 400 includes generating challenge questions for authenticating the user based on the user selection, at 440, and receiving, from the user, answers to the challenge questions. For example, authentication module 108 can generate challenge questions 118 from the subset of user data for authenticating the user, and receiving the user's response to the challenge questions 118. In some examples, the system 102 can display the challenge questions 118 at a display device or screen in text and/or images, and receive user input in response to the challenge questions 1 18 via a graphical user interface, display device, or keypad. 0035] Method 400 includes determining whether the user provides the correct aiiswers to the challenge questions, at 460. If the user provides correct aiiswers to the challenge questions, method 400 includes executing the transaction request, at 470. However, if the user provides incorrect answers to the challenge questions, method 400 includes denying the transaction request, at 480. For example, authentication module 108 compares the user's aiiswers to the challenge questions 1 18 to the actual answers to the challenge questions 1 18 to determine if the user's answers are correct or incorrect. If the user's answers are correct (i.e., correct answer to every challenge question 1 18 presented), transaction processing module executes the transaction. However, if the user's answers are incorrect, the user's request is denied. In some examples, the method 300 of FIG. 3 includes additional steps in addition to and/or in lieu of those depicted in FIG. 3.
[0036] FIG. 5 illustrates an example of an authentication system including a computer-readable medium having instructions to authenticate a user based on challenge questions generated from user data. Authentication system 500 can include a non-transitor computer-readable medium 520. The non-transitory computer- readable medium 520 can include instructions 521 -524 that if executed by a processor 510 can cause the authentication system 500 to perform the functionality described below.
[0037] For example, request receiving instructions 521 are executable to receive a request to process a transaction. Data accessing instructions 522 are executable to access user data stored at a storage device, in response to the request. Challenge question generating instructions 523 are executable to generate challenge questions for authenticating the user based on the user data. Request processing instructions 524 are executable to execute the request when t e user provides correct answers to the challenge questions.
[0038] The techniques described above may be embodied in a computer-readable medium for configuring a computing system to execute the method. The computer- readable media may include, for example and without limitation, any number of the following non-transitive mediums: magnetic storage media including disk and tape storage media; optical storage media such as compact disk media (e.g., CD-ROM, CD-R, etc.) and digital video disk storage media; holographic memory; nonvolatile memory storage media including semiconductor-based, memory units such as FLASH memory. EEPROM, EPROM, ROM; ferromagnetic digital memories; volatile storage media including registers, buffers or caches, main memory, RAM, etc.; and the Internet, just to name a few. Other new and obvious types of computer-readable media may be used to store the software modules discussed, herein. Computing systems may be found in many forms including but not limited to mainframes, minicomputers, servers, workstations, personal computers, notepads, personal digital assistants, tablets, smartphones, various wireless devices and embedded systems, just to name a few.
[0039] In the foregoing description, numerous details are set forth to provide an understanding of the present disclosure. However, it will be understood by those skilled in the art that the present disclosure may be practiced without these details. While the present disclosure has been disclosed with respect to a limited number of examples, those skilled in the art will appreciate numerous modifications and variations therefrom. It is intended that the appended claims cover such modifications and. variations as fall within the true spirit and scope of the present disclosure.

Claims

I I What is claimed is:
1 . An authentication system, comprising:
a storage device to store user data;
a transaction processing module to receive a transaction request associated with the user; and
an authentication module to access the user data to generate challenge
questions from the user data to authenticate the user, in response to the request.
2. The authentication system of claim 1, wherein the transaction request includes one of a purchase payment, an access request, and a validation of the user.
3. The authentication system of claim 1 , wherein the transaction request is via at least one of a computing device and a payment device, wherein the payment device includes a credit card, a debit card, an automated, teller machine (ATM) card, bank card, a gift card, a radio frequency identification (RFID) device, or a mobile device.
4. The authentication system of claim 3, wherein the user data includes personal data and recent activities of the user from at least one of the computing device and the payment device,
5. The authentication system of claim 4, wherein the recent activities include at least one of activities tracked, by applications and sendees accessed by the user, location data captured by a location based service of the computing device, and data captured by tracking modules in at least one of the computing device and the payment device.
6. The authentication system of claim 4, wherein the recent activities include at least one of purchases, travels, location data, content consumption, brand affinity, social network profiles, and web browsing data.
7. The authentication system of claim 3, wherein the personal data includes at least one of government records, financial records, health records, insurance records, relationship and family information.
8. The authentication system of claim 1, wherein the authentication system is to receive a user selection of at least one type of data from a plurality of data types from which the challenge questions are to be generated, and wherein the
authentication module is to generate the challenge questions based on the user selection.
9. The authentication system of claim 1 , wherein the transaction processing module is to grant the transaction request when the user correctly answers the challenge questions.
10. The authentication system of claim 1, wherein the transaction processing module includes one of a merchant terminal, a point of sale terminal, and an access terminal.
1 1. A method for authenticating a user, comprising:
receiving, by an authentication system, a request to process a transaction; accessing user data stored at a storage device, in response to the request; and generating challenge questions for authenticating the user based on the user data.
12. The method of claim 11 , comprising:
receiving, from the user, answers to the challenge questions;
processing the transaction if the user provides correct answers to the challenge questions; and
denying processing of the transaction if the user provides incorrect answers to the challenge questions,
wherein the transaction request includes at least one of a purchase payment, a money transfer, and an access grant,
wherein the transaction request is received via at least one of a computing device and a payment device, and wherein the user data includes personal data and recent activities of the user extracted from the at least one computing device and payment device, and data provided by the user.
13. The method of claim 1 1 , comprising:
receiving, from the user, a selection of at least one type of user data from a plurality of user data ty pes for authenticating the user; and generating the challenge questions based on the user selection,
wherein the data types include purchase activities, location data, content
consumption, brand affinity, social network profiles, web browsing activities, government records, financial records, health and insurance records, and. genealogical data.
14. A non-transitory computer-readable medium comprising instructions that, when executed by a processor of an authentication system, causes the system to: receive a request to process a transaction;
access user data stored at a storage device, in response to the request;
generate challenge questions for authenticating the user based on the user data;
and
execute the request when the user provides correct answers to the challenge questions.
15. The non-transitory computer-readable medium of claim 14, wherein the instructions are further executable to:
receive, from the user, a selection of at least one type of user data to be used. by the system for authenticating the user prior to receipt of the request; and
generate the challenge questions based on the selection,
wherein the user data includes at least one of personal data of the user, recent user activities extracted, from at least one of a computing device and a payment device of the user, and data provided by the user, and wherein the request is received from at least one of the computing device and the payment device.
PCT/US2014/032596 2014-04-01 2014-04-01 Using challenge questions for user authentication WO2015152905A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/US2014/032596 WO2015152905A1 (en) 2014-04-01 2014-04-01 Using challenge questions for user authentication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2014/032596 WO2015152905A1 (en) 2014-04-01 2014-04-01 Using challenge questions for user authentication

Publications (1)

Publication Number Publication Date
WO2015152905A1 true WO2015152905A1 (en) 2015-10-08

Family

ID=54241034

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2014/032596 WO2015152905A1 (en) 2014-04-01 2014-04-01 Using challenge questions for user authentication

Country Status (1)

Country Link
WO (1) WO2015152905A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017196307A1 (en) * 2016-05-10 2017-11-16 Danal Inc. Methods and systems for identity verification at self-service machines
US10623401B1 (en) 2017-01-06 2020-04-14 Allstate Insurance Company User authentication based on telematics information
US20200226285A1 (en) * 2016-08-23 2020-07-16 BBM Health LLC Blockchain-based mechanisms for secure health information resource exchange
US20230035570A1 (en) * 2021-07-27 2023-02-02 Capital One Services, Llc Authenticating Based On User Behavioral Transaction Patterns
US20240013211A1 (en) * 2022-07-05 2024-01-11 Capital One Services, Llc Computer Authentication Using Transaction Questions That Exclude Peer-to-Peer Transactions

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020152156A1 (en) * 2000-02-25 2002-10-17 Kathleen Tyson-Quah Method of and system for mitigating risk associated with settling of foreign exchange and other payments-based transactions
US20130067546A1 (en) * 2011-09-08 2013-03-14 International Business Machines Corporation Transaction authentication management system with multiple authentication levels
US20130290119A1 (en) * 2012-04-27 2013-10-31 Mastercard International, Inc. Method for Providing Payment Card Security Using Registrationless Telecom Geolocation Capture
US8646060B1 (en) * 2013-07-30 2014-02-04 Mourad Ben Ayed Method for adaptive authentication using a mobile device
US20140081732A1 (en) * 2012-09-14 2014-03-20 Intice, Inc. Incentivized, authenticated presence verified prospect aggregator

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020152156A1 (en) * 2000-02-25 2002-10-17 Kathleen Tyson-Quah Method of and system for mitigating risk associated with settling of foreign exchange and other payments-based transactions
US20130067546A1 (en) * 2011-09-08 2013-03-14 International Business Machines Corporation Transaction authentication management system with multiple authentication levels
US20130290119A1 (en) * 2012-04-27 2013-10-31 Mastercard International, Inc. Method for Providing Payment Card Security Using Registrationless Telecom Geolocation Capture
US20140081732A1 (en) * 2012-09-14 2014-03-20 Intice, Inc. Incentivized, authenticated presence verified prospect aggregator
US8646060B1 (en) * 2013-07-30 2014-02-04 Mourad Ben Ayed Method for adaptive authentication using a mobile device

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017196307A1 (en) * 2016-05-10 2017-11-16 Danal Inc. Methods and systems for identity verification at self-service machines
US20200226285A1 (en) * 2016-08-23 2020-07-16 BBM Health LLC Blockchain-based mechanisms for secure health information resource exchange
US11657176B2 (en) * 2016-08-23 2023-05-23 Health Blockchain Convergence, Inc. Blockchain-based mechanisms for secure health information resource exchange
US10623401B1 (en) 2017-01-06 2020-04-14 Allstate Insurance Company User authentication based on telematics information
US11165769B1 (en) 2017-01-06 2021-11-02 Allstate Insurance Company User authentication based on telematics information
US11750601B1 (en) 2017-01-06 2023-09-05 Allstate Insurance Company User authentication based on telematics information
US20230035570A1 (en) * 2021-07-27 2023-02-02 Capital One Services, Llc Authenticating Based On User Behavioral Transaction Patterns
US11823197B2 (en) * 2021-07-27 2023-11-21 Capital One Services, Llc Authenticating based on user behavioral transaction patterns
US20240013211A1 (en) * 2022-07-05 2024-01-11 Capital One Services, Llc Computer Authentication Using Transaction Questions That Exclude Peer-to-Peer Transactions

Similar Documents

Publication Publication Date Title
US20230045378A1 (en) Non-repeatable challenge-response authentication
US10699275B2 (en) Systems and methods for use in authorizing transactions to accounts
US20150170148A1 (en) Real-time transaction validity verification using behavioral and transactional metadata
US20190087825A1 (en) Systems and methods for provisioning biometric templates to biometric devices
US20180052981A1 (en) Systems and methods for improving kba identity authentication questions
US20200126151A1 (en) Systems and methods for providing budget management that incorporates budget regulated transaction alerts
US11188913B2 (en) Systems and methods for securely verifying a subset of personally identifiable information
WO2015062290A1 (en) Methods and systems for authentications and online transactions
US11704666B1 (en) Systems and methods for authorizing transactions without a payment card present
WO2015152905A1 (en) Using challenge questions for user authentication
US20240046272A1 (en) Systems and methods for bypassing contactless payment transaction limit
Korauš et al. SECURITY ASPECTS: PROTECTION OF PEOPLE IN CONNECTION WITH THE USE OF PERSONAL IDENTIFICATION NUMBERS.
US12062052B2 (en) Systems for securing transactions based on merchant trust score
Kairinos The integration of biometrics and AI
US12354101B2 (en) Systems and methods for providing in-person status to a user device
US12248935B2 (en) Systems and methods for conducting remote user authentication
US20230281631A1 (en) Fraud prevention systems and methods for selectively generating virtual account numbers
US20240202743A1 (en) Learning model evaluation system, learning model evaluation method, and program
US20240211574A1 (en) Learning model creating system, learning model creating method, and program
CN113614677B (en) Motion-initiated transaction system using over-the-air signpost
US20220051241A1 (en) Systems and methods for user verification via short-range transceiver
US20250131439A1 (en) Systems and methods for fraud reduction through multi-business authentication
US20240412209A1 (en) Systems and methods for dynamic declination generation
US20230104119A1 (en) Systems and methods for storing dynamic data
US20150269662A1 (en) Method and apparatus for verifying a validity of communication from a fraud detection service

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14887750

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase
122 Ep: pct application non-entry in european phase

Ref document number: 14887750

Country of ref document: EP

Kind code of ref document: A1