(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2003/0046591 A1
`(43) Pub. Date:
`Mar. 6, 2003
`Asghari-Kamrani et al.
`
`US 20030046591A1
`
`(54) CENTRALIZED IDENTIFICATION AND
`AUTHENTICATION SYSTEM AND METHOD
`
`ronment in order to prevent the distribution of user’s infor-
`mation in e-commerce. This information is then used to
`
`(76)
`
`Inventors: Nader Asghari-Kamrani, Centerville,
`VA (US); Kamran Asghari-Kamrani,
`Centerville, VA (US)
`
`Correspondence Address:
`NADER ASGHARI-KAMRANI
`6558 PALISADES DRIVE
`CENTERVILLE, VA 20121 (US)
`
`(21) Appl. No.:
`
`09/940,635
`
`(22) Filed:
`
`Aug. 29, 2001
`
`Publication Classification
`
`Int. Cl.7 ....................................................... H04L 9/32
`(51)
`(52) U.S. Cl.
`............................................................ .. 713/202
`
`(57)
`
`ABSTRACT
`
`A method and system is provided by a Central-Entity, for
`identification and authorization of users over a communica-
`
`tion network such as Internet. Central-Entity centralizes
`users personal and financial information in a secure envi-
`
`124
`
`create digital identity for the users. The digital identity of
`each user is dynamic, non predictable and time dependable,
`because it is a combination of user name and a dynamic, non
`predictable and time dependable secure code that will be
`provided to the user for his identification.
`
`The user will provide his digital identity to an External-
`Entity such as merchant or service provider. The External-
`Entity is dependent on Central-Entity to identify the user
`based on the digital identity given by the user. The External-
`Entity forwards user’s digital identity to the Central-Entity
`for identification and authentication of the user and the
`transaction.
`
`The identification and authentication system provided by the
`Central-Entity, determines whether the user is an authorized
`user by checking whether the digital identity provided by the
`user to the External-Entity, corresponds to the digital iden-
`tity being held for the user by the authentication system. If
`they correspond, then the authentication system identifies
`the user as an authorized user, and sends an approval
`identification and authorization message to the External-
`Entity, otherwise the authentication system will not identify
`the user as an authorized user and sends a denial identifi-
`
`cation and authorization message to the External-Entity.
`
`The External-Entlty forwards the
`user's digital identity along with
`the identification and
`authentication request to the
`central-Entity
`
`The Central-Entity locates the
`USER's digital identity in the
`system
`
`
`
`130
`
`134
`
`138
`
`Central-Entity compares the
`
`user's digital identity retrieved
`from the system to the digital
`Identity received from the
`Extemal-Entity
`
`
`
`
`
`150
`
`USAA 1017
`
`
`
`
`central-Entity sends a denial
`identification and authorization
`message to the Externa|~Entity
`
`140
`
`Yes
`
`
`
`
`Central-Entity sends an approval
`identification and authorization
`message to the Extemal-Entity
`
`
`1
`
`USAA 1017
`
`

`
`Patent Application Publication Mar. 6, 2003 Sheet 1 of 5
`
`US 2003/0046591 A1
`
`20
`
`20
`
`E
`
`I E .
`xterna - ntuty
`
`2
`
`2o
`
`External-Entity 3
`
`1
`
`i
`
`10
`W
`
`10
`
`%
`
`10
`
`fl
`
`50
`
`/
`
`communication
`Netwmk
`(such as Internet)
`
`
`
`
`
`30
`
`Central-Entity
`
`Figure 1
`
`2
`
`

`
`Patent Application Publication Mar. 6, 2003 Sheet 2 of 5
`
`US 2003/0046591 A1
`
`2
`
`Registration
`
`
`Generation
`
`@\ Digital Identity
`
` Securecode
`
` Requestlfleoeive Securecode
`
`Nix/\A 79*
`*®
`
` 30
`
`) Communication
`Network
`
`"’
`
`
`
`20
`
`Registration Phase
`Steps:
`
`® ®
`
`Transaction Phase Steps: ® ® ® @ ® ®
`
`Identification &Authorization Phase
`Steps:
`
`® ® 6-)
`
`Figure 2
`
`3
`
`

`
`Patent Application Publication Mar. 6, 2003 Sheet 3 of 5
`
`US 2003/0046591 A1
`
`100
`
`104
`
`108
`
`User signs-up a the Central-
`Entity by providing his personal
`or financial information
`
`central-Entity creates an
`account for the USER
`
`USER receives account
`infonnation from the Central-
`
`Entity, including Userhiame and
`Password
`
`110
`
`Figure 3
`
`4
`
`

`
`Patent Application Publication
`
`Mar. 6, 2003 Sheet 4 of 5
`
`US 2003/0046591 A1
`
`110
`
`114
`
`118
`
`120
`
`124
`
`108
`
`USER attempts to get access to
`a restricted web site OR to buy
`goodslservices
`
`USER requests Securecode from
`the Central-Entity over the
`communication network
`
`Central-Entity generates
`dynamic. non-predictable and
`time dependent Securecode
`
`USER receives the Securecode
`
`USER provides his Usemame
`and securecode as digital
`identity to the External-Entity for
`identification
`
`130
`
`Figure 4
`
`5
`
`

`
`Patent Application Publication Mar. 6, 2003 Sheet 5 of 5
`
`US 2003/0046591 A1
`
`124
`
`130 The External-Entity forwards the
`
`
`
`user's diltal identity along with
`the identification and
`
`authentication request to the
`central-Entity
`
`
`
`13
`
`138
`
`140
`
`150
`
`
`
`
`The Central-Entity locates the
`USER'S digital identity in the
`system
`
`
`
`
`central-Entity compares the
`user‘: digital identity retrieved
`
`from the system to the digital
`identity received from the
`External-Entity
`
`
`
`
`
`
`message to the External~Entity
`
`
`
`ves
`
`
`
`central-Entity sends an approval
`identification and authorization
`
`message to the Extemai-Entity
`
`Figure 5
`
`central-Entity sends a denial
`identification and authorization
`
`6
`
`

`
`US 2003/0046591 A1
`
`Mar. 6, 2003
`
`CENTRALIZED IDENTIFICATION AND
`AUTHENTICATION SYSTEM AND METHOD
`
`BACKGROUND OF THE INVENTION
`
`[0001]
`
`1. Field of the Invention
`
`[0002] The present invention relates to a centralized iden-
`tification and authentication system and method for identi-
`fying an individual over a communication network such as
`Internet, to increase security in e-commerce. More particu-
`larly a method and system for generation of a dynamic,
`non-predictable and time dependent SecureCode for the
`purpose of positively identifying an individual.
`
`[0003]
`
`2. Description of the Related Art
`
`[0004] The increasing use of the Internet and the increase
`of businesses utilizing e-commerce have lead to a dramatic
`increase in customers releasing confidential personal and
`financial information, in the form of social security numbers,
`names, addresses, credit card numbers and bank account
`numbers, to identify themselves. This will allow them to get
`access to the restricted web sites or electronically purchase
`desired goods or services. Unfortunately this type of iden-
`tification is not only unsafe but also it is not a foot proof that
`the user is really the person he says he is. The effect of these
`increases is reflected in the related art.
`
`[0005] U.S. Pat. No. 5,732,137 issued to Aziz outlines a
`system and method for providing remote user authentication
`in a public computer network such as the Internet. More
`specifically,
`the system and method provides for remote
`authentication using a one—time password scheme having a
`secure out-of-band channel for initial password delivery.
`
`[0006] U.S. Pat. No. 5,815,665 issued to Teper et al.
`outlines the use of a system and method for enabling
`consumers to anonymously, securely and conveniently pur-
`chase on-line services from multiple service providers over
`a distributed network, such as the Internet. Specifically, a
`trusted third—party broker provides billing and security ser-
`vices for registered service providers via an online brokering
`service, eliminating the need for the service providers to
`provide these services.
`
`[0007] U.S. Pat. No 5,991,408 issued to Pearson, et al.
`outlines a system and method for using a biometric element
`to create a secure identification and verification system, and
`more specifically to an apparatus and a method for creating
`a hard problem which has a representation of a biometric
`element as its solution.
`
`[0008] Although each of the previous patents outline a
`valuable system and method, what is really needed is a
`system and method that offers digital identity to the users
`and allows them to participate in e-commerce without
`worrying about
`the privacy and security. In addition to
`offering security and privacy to the users, the new system
`has to be simple for businesses to adopt and also doesn’t
`require the financial institutions to change their existing
`systems. Such a secure, flexible and scalable system and
`method would be of great value to the businesses that would
`like to participate in today’s electronic commerce.
`
`[0009] None of the above inventions and patents, taken
`either singularly or in combination, is seen to describe the
`instant invention as claimed. Thus a centralized identifica-
`
`tion and authentication system and method solving the
`aforementioned problems is desired.
`
`[0010] For convenience, the term “user” is used through-
`out to represent both a typical person consuming goods and
`services as well as a business consuming goods and services.
`
`[0011] As used herein, a “Central-Entity” is any party that
`has user’s personal and/or financial information, UserName,
`Password and generates dynamic, non-predictable and time
`dependable SecureCode for the user. Examples of Central-
`Entity are: banks, credit card issuing companies or any
`intermediary service companies.
`
`[0012] As also used herein, an “External-Entity” is any
`party offering goods or services that users utilize by directly
`providing their UserName and SecureCode as digital iden-
`tity. Such entity could be a merchant, service provider or an
`online site. An “External-Entity” could also be an entity that
`receives the user’s digital identity indirectly from the user
`through another External-Entity, in order to authenticate the
`user, such entity could be a bank or a credit card issuing
`company.
`
`[0013] The term “UserName” is used herein to denote any
`alphanumeric name, id, login name or other identification
`phrase, which may be used by the “Central-Entity” to
`identify the user.
`
`[0014] The term “Password” is used herein to denote any
`alphanumeric password, secret code, PIN, prose phrase or
`other code, which may be stored in the system to authenti-
`cate the user by the “Central-Entity”.
`
`[0015] The term “SecureCode” is used herein to denote
`any dynamic, non-predictable and time dependent alphanu-
`meric code, secret code, PIN or other code, which may be
`broadcast to the user over a communication network, and
`may be used as part of a digital identity to identify a user as
`an authorized user.
`
`[0016] The term “digital identity” is used herein to denote
`a combination of user’s “SecureCode” and users information
`such as “UserName”, which may result
`in a dynamic,
`nonpredictable and time dependable digital identity that
`could be used to identify a user as an authorized user.
`
`[0017] The term “financial information” is used herein to
`denote any credit card and banking account information
`such as debit cards, savings accounts and checking accounts.
`
`SUMMARY OF THE INVENTION
`
`[0018] The invention relates to a system and method
`provided by a Central-Entity for centralized identification
`and authentication of users and their transactions to increase
`
`security in e-commerce. The system includes:
`
`[0019] A Central-Entity: This entity centralizes users
`personal and financial information in a secure envi-
`ronment in order to prevent the distribution of user’s
`information in e-commerce. This information is then
`used to create digital identity for the users. The users
`may use their digital identity to identify themselves
`instead of providing their personal and financial
`information to the External-Entities;
`
`[0020] A plurality of users: A user represents both a
`typical person consuming goods and services as well
`as a business consuming goods and services, who
`
`7
`
`

`
`US 2003/0046591 A1
`
`Mar. 6, 2003
`
`needs to be identified in order to make online pur-
`chases or to get access to the restricted web sites. The
`user registers at the Central-Entity to receive his
`digital identity, which is then provided to the Exter-
`nal-Entity for identification;
`
`[0021] A plurality of External-Entities: An External-
`Entity is any party offering goods or services in
`e-commerce and needs to authenticate the users
`
`based on digital identity.
`
`[0022] The user signs-up at the Central-Entity by provid-
`ing his personal or financial information. The Central-Entity
`creates a new account with user’s personal or financial
`information and issues a unique UserName and Password to
`the user. The user provides his Username and Password to
`the Central-Entity for identification and authentication pur-
`poses when accessing the services provided by the Central-
`Entity. The Central-Entity also generates dynamic, non-
`predictable and time dependent SecureCode for the user per
`user’s request and issues the SecureCode to the user. The
`Central-Entity maintains a copy of the SecureCode for
`identification and authentication of the user’s digital iden-
`tity. The user presents his UserName and SecureCode as
`digital
`identity to the External-Entity for identification.
`When an External—Entity receives the user’s digital identity
`(UserName and SecureCode), the External-Entity will for-
`ward this information to the Central-Entity to identify and
`authenticate the user. The Central-Entity will validate the
`information and sends an approval or denial response back
`to the External-Entity.
`
`[0023] There are also communications networks for the
`user, the Central-Entity and the Extemal-Entity to give and
`receive information between each other.
`
`[0024] This invention also relates to a system and method
`provided by a Central-Entity for centralized identification
`and authentication of users to allow them access to restricted
`web sites using their digital
`identity, preferably without
`revealing confidential personal or financial information.
`
`[0025] This invention further relates to a system and
`method provided by a Central-Entity for centralized identi-
`fication and authentication of users to allow them to pur-
`chase goods and services from an External—Entity using their
`digital
`identity, preferably without revealing confidential
`personal or financial information.
`
`[0026] Accordingly, it is a principal object of the invention
`to offer digital
`identity to the users for identification in
`e-commerce.
`
`It is another object of the invention to centralize
`[0027]
`user’s personal and financial information in a secure envi-
`ronment.
`
`It is another object of the invention to prevent the
`[0028]
`user from distributing their personal and financial informa-
`tion.
`
`is a further object of the invention to keep
`It
`[0029]
`merchants, service providers, Internet sites and financial
`institutions satisfied by positively identifying and authenti-
`cating the users.
`
`It is another object of the invention to reduce fraud
`[0030]
`and increase security for e-commerce.
`
`is another object of the invention to allow
`It
`[0031]
`businesses to control visitor’s access to their web sites.
`
`It is another object of the invention to protect the
`[0032]
`customer from getting bills for goods and services that were
`not ordered.
`
`It is another object of the invention to increase
`[0033]
`customers’ trust and reduce customers’ fear for e-commerce.
`
`to decrease damages to the
`It is another object
`[0034]
`customers, merchants and financial institutions.
`
`It is an object of the invention to provide improved
`[0035]
`and arrangements
`thereof
`for
`the purposes
`elements
`described which are inexpensive, dependable and fully
`effective in accomplishing its intended purposes.
`
`[0036] These and other objects of the present invention
`will become readily apparent upon further review of the
`following specification and drawings.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0037] FIG. 1 is a high-level overview of a centralized
`identification and authentication system and method accord-
`ing to the present invention.
`
`[0038] FIG. 2 is a detailed overview of a centralized
`identification and authentication system and method accord-
`ing to the present invention.
`
`[0039] FIG. 3 is a block diagram of the registration of a
`customer utilizing a centralized identification and authenti-
`cation system and method according to the present inven-
`tion.
`
`[0040] FIG. 4 is a block diagram of the transaction of a
`customer utilizing a centralized identification and authenti-
`cation system and method according to the present inven-
`tion.
`
`[0041] FIG. 5 is a block diagram of a Central-Entity
`authorizing a user utilizing a centralized identification and
`authentication system and method according to the present
`invention.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENTS
`
`[0042] Detailed descriptions of the preferred embodiment
`are provided herein. It is to be understood, however, that the
`present invention may be embodied in various forms. There-
`fore, specific details disclosed herein are not to be inter-
`preted as limiting, but rather as a basis for the claims and as
`a representative basis for teaching one skilled in the art to
`employ the present invention in virtually any appropriately
`detailed system, structure or manner.
`
`[0043] The invention relates to a system 1 and method 2
`to identify and authenticate the users and their transactions
`to increase security in e-commerce. FIG. 1 illustrates a
`system to positively identify the users 10 in e-commerce
`based on digital identity.
`
`[0044] The system 1 comprises a plurality of users 10, a
`plurality of External-Entities 20 with goods and services that
`are desired by the users 10 and a Central-Entity 30 providing
`a unique UserName and Password to the users 10 and
`generating dynamic, non-predictable and time dependent
`SecureCode for the users 10 per user’s request. There are
`
`8
`
`

`
`US 2003/0046591 A1
`
`Mar. 6, 2003
`
`also communication networks 50 for the user 10, the Cen-
`tral-Entity 30 and the Extemal-Entity 20 to give and receive
`information between each other.
`
`It would be desirable to develop a new system 1
`[0045]
`and method 2 to centralize user’s personal and financial
`information in a secure environment and to offer digital
`identity to the users 10 in order to provide privacy, increase
`security and reduce fraud in e-commerce. Ideally, a secure
`identification and authentication system 1 would identify
`legitimate users 10 and unauthorized users 10. This would
`increase the user’s trust, which leads to more sales and cash
`flow for the merchants/service providers.
`
`[0046] The present invention relates to a system 1 and
`method 2 to support this ideal identification and authenti-
`cation system. For identification purpose, a digital identity (a
`unique UserName and a dynamic, non-predictable and time
`dependent SecureCode) is used by the user 10 at the time of
`ordering or at the time of accessing a restricted Internet site.
`A series of steps describing the overall method are con-
`ducted between the users 10, the Central-Entity 30 and the
`External-Entity 20 and are outlined in FIGS. 3, 4, 5.
`
`[0047] There are three distinct phases involved in using
`the centralized identification and authentication system FIG.
`2, the first of which being the registration phase, which is
`depicted in FIG. 3. During the registration phase, the user 10
`provides his personal or financial information to the Central-
`Entity 30. The user 10 registers at the Central-Entity 30, 100,
`104 and receives his account and login information such as
`UserName and Password 108. User 10 can access his
`account at any time by accessing the Central-Entity’s system
`using a communication network 50 and logging into the
`system.
`
`[0048] Next is the transaction phase, where the user 10
`attempts to access a restricted web site or attempts to buy
`services or products 110, as illustrated in FIG. 4, through a
`standard interface provided by the External-Entity 20, simi-
`lar to what exists today and selects digital identity as his
`identification and authorization or payment option. The
`External-Entity 20 displays the access or purchase authori-
`zation form requesting the user 10 to authenticate himself
`using his UserName and SecureCode as digital identity. The
`user 10 requests SecureCode from the Central-Entity 30 by
`accessing his account over the communication network 50,
`114. The Central-Entity 30 generates dynamic, non-predict-
`able and time dependable SecureCode 118 for the user 10.
`The Central-Entity 30 maintains a copy of the SecureCode
`for identification and authentication of the user 10 and issues
`the SecureCode to the user 10. When the user 10 receives the
`SecureCode 120, the user 10 provides his UserName and
`SecureCode as digital identity to the External-Entity 20,
`124, FIG. 4.
`
`[0049] The third phase is identification and authorization
`phase. Once the user 10 provides his digital identity to the
`External-Entity 20, the External-Entity 20 forwards user’s
`digital identity along with the identification and authentica-
`tion request to the Central-Entity 30, 130, as illustrated in
`FIG. 5. When the Central-Entity 30 receives the request
`containing the user’s digital identity, the Central-Entity 30
`locates the user’s digital identity (UserName and Secure-
`Code) in the system 134 and compares it to the digital
`identity received from the External-Entity 20 to identify and
`validate the user 10, 138. The Central-Entity 30 generates a
`
`reply back to the External-Entity 20 via a communication
`network 50 as a result of the comparison. If both digital
`identities match, the Central-Entity 30 will identify the user
`10 and will send an approval of the identification and
`authorization request to the External-Entity 20, 140, other-
`wise will send a denial of the identification and authorization
`
`request to the External-Entity 20, 150. The External-Entity
`20 receives the approval or denial response in a matter of
`seconds. The External-Entity 20 might also display the
`identification and authentication response to the user 10.
`
`the Central-
`To use the digital identity feature,
`[0050]
`Entity 30 provides the authorized user 10 the capability to
`obtain a dynamic, non-predictable and time dependable
`SecureCode. The user 10 will provide his UserName and
`SecureCode as digital
`identity to the External-Entity 20
`when this information is required by the External-Entity 20
`to identify the user 10.
`
`[0051] The Central-Entity 30 may add other information
`to the SecureCode before sending it
`to the user 10, by
`algorithmically combining SecureCode with user’s informa-
`tion such as UserName. The generated SecureCode will
`have all the information needed by the Central-Entity 30 to
`identify the user 10. In this case the user will only need to
`provide his SecureCode as digital identity to the External-
`Entity 20 for identification.
`
`In the preferred embodiment, the user 10 uses the
`[0052]
`communication network 50 to receive the SecureCode from
`
`the Central-Entity 30. The user 10 submits the SecureCode
`in response to External-Entity’s request 124. The Secure-
`Code is preferably implemented through the use of an
`indicator. This indicator has two states: “on” for valid and
`“off” for invalid. When the user 10 receives the SecureCode,
`the SecureCode is in “on” or “valid” state. The Central-
`
`Entity 30 may improve the level of security by invalidating
`the SecureCode after its use. This may increase the level of
`difficulty for unauthorized user. Two events may cause a
`valid SecureCode to become invalid:
`
`1. Timer event: This event occurs when the
`[0053]
`predefined time passes. As mentioned above the
`SecureCode is time dependent.
`
`2. Validation event: This event occurs when
`[0054]
`the SecureCode forwarded to the Central-Entity 30
`(as part of digital identity) corresponds to the user’s
`SecureCode held in the system. When this happens
`the Central-Entity 30 will invalidate the SecureCode
`to prevent future use and sends an approval identi-
`fication and authorization message to the External-
`Entity 20, 140.
`
`identity corresponds to a valid
`[0055] A valid digital
`SecureCode. When the SecureCode becomes invalid, the
`digital identity will also become invalid.
`
`[0056] While the invention has been described in connec-
`tion with a preferred embodiment, it is not intended to limit
`the scope of the invention to the particular form set forth, but
`on the contrary, it is intended to cover such alternatives,
`modifications, and equivalents as may be included within
`the spirit and scope of the invention as defined by the
`appended claims.
`
`9
`
`

`
`US 2003/0046591 A1
`
`Mar. 6, 2003
`
`What is claimed is:
`
`1. A system for identifying an individual over a commu-
`nication network; comprising:
`
`a User that needs to be identified in e-commerce;
`
`a Central-Entity that provides digital identity to the users
`to positively identify themselves in e-commerce;
`
`an External-Entity offering goods or services and needs to
`authenticate the users in e-commerce;
`
`a communication network for the user, the Central-Entity
`and the External-Entity to send and receive information
`between each other.
`2. The system according to claim 1, wherein said a digital
`identity includes SecureCode and other information such as
`UserName.
`
`3. A system according to claim 2, wherein said a Secure-
`Code is a dynamic, non-predictable and time dependent
`alphanumeric code, secret code, PIN or other code.
`4. The system according to claim 1, wherein said com-
`munication network includes Internet, wireless and private
`networks.
`5. A method for identifying an individual; comprising the
`steps:
`
`The user registers at the Central-Entity;
`
`The user provides his personal and/or financial informa-
`tion to the Central-Entity;
`
`The user receives his unique UserName and Password
`from the Central-Entity;
`
`The user attempts to get access to a restricted web site or
`to buy goods and/or services from an External—Entity;
`
`The EXternal—Entity requests the user to authenticate
`himself using his digital identity;
`
`T18 user requests SecureCode from the Central-Entity;
`
`T16 Central-Entity generates dynamic, non-predictable
`and time dependable SecureCode for the user;
`
`T16 Central-Entity stores a copy of the SecureCode and
`sends out the SecureCode to the user over a commu-
`nication network;
`T16 user receives the SecureCode over a communication
`network;
`
`T16 user submits his SecureCode as part of the digital
`identity in response to External-Entity’s request;
`
`T16 EXternal—Entity forwards the user’s digital identity
`along with the identification and authentication request
`to the Central-Entity over a communication network;
`
`T16 Central-Entity retrieves the user’s digital
`including the SecureCode from the system;
`
`identity
`
`T16 Central-Entity compares the retrieved users digital
`identity with the digital
`identity received from the
`External-Entity;
`
`identification and
`T18 Central-Entity sends approval
`authorization message to the External-Entity when the
`digital
`identity forwarded to
`the Central-Entity,
`matches the users digital identity retrieved from the
`system;
`
`identification and
`The Central-Entity sends a denial
`authorization message to the External-Entity when the
`digital identity forwarded to the Central-Entity does not
`match the users digital
`identity retrieved from the
`system.
`
`10
`
`10