`
`USAA 1051
`USAA v Asghari-Kamrani
`CBM2016-00063
`CBM2016-00064
`
`
`
`PTOISBI1 7 (12—0-W2)
`Approved for use through 0713112006. OMB 0651-0032
`US. Patent and Tmdernark Otfioe: U.S. DEPARTMENT OF COMMERCE
`Ilnderthe Panerwak Reductirm Add 1995 no nersnnsare reouiredtnrasnond Ina ullaiimafinformation unlasitdisntavs avalid OMB control number
`
`Elream on 12.128/2oo4.
`Fees oursuantta the ComoEdaledAnpmnn'atr'ans Act. 2005 (HR 4818).
`
`Complete if Known
`
`FEE TRANSMITTAL
`For FY 2005
`
`D
`
`I2] Applicant claims small entity status. See 37 CFR 1.27
`mm momor man
`METHOD OF PAYMENT (check all that appl )
`
`Check D Credit Card lj Money Order l:l None l:lOmer (please identify)!
`El Deposit Account DepositAccount Numt-ec__________:___ Deposit Account Name:
`Forthe aboveiderlfified depositaocount. the Diredoris hereby authorizedto: (check allthatapply)
`
`l:lcnaige fee(s) indicated below, except for the filing fee
`l:lChar9e fee(s) indicated below ‘
`cmdfl
`Charge any additional fee(s) or underpayments offee(s)
`D 3"’ °"e""'""°'"s
`l:lunder31 CFR 1.16 and 1.17
`WARNING: Inforrnation on thls term may become pubtlc. Credit card Irrfomntion should not be Included on this form. Pnwide credit cant
`Information and authorization on PTO-2038.
`
`FEE CALCULATION
`
`1. BASIC FILING, SEARCH, AND EXAMINATION FEES
`FILINGSFHEEISE
`SEARCH FEES
`mg‘
`Small em‘
`mm Feefi)
`Fit!)
`Feo(§)
`300
`150
`500
`200
`100
`100
`200
`l 00
`300
`300
`
`&m<.=._afl.;-ulirra
`Utility
`_. Design
`Plant
`Reissue
`
`50
`150
`
`EXAMINATION FEES
`Small egg
`F_eo_I!)
`Fee(§)
`200
`100
`130
`65
`160
`600
`
`200
`
`100
`
`Provisional
`2. EXCESS CLAIM FEES
`Fee Descrifion
`Each claim over 20 (including Reissues)
`Each independent claim over 3 (including Reissues)
`Multiple dependent claims
`Total Claims
`Extra Calms mm Fg Paid m
`- 20 or HP =
`’x
`=
`HP = highestnurnheroftnhldairns paidfor. ifgreaterthan 2o.
`lndgg Claims
`Extra C|ail'IB
`Fee [§)
`=
`x
`- 3, HP =
`HP = highest hum; of independentclaims paid for. ifgreater than 3.
`_
`3. APPLICATION SIE FEE
`Ifthe specification and drawings exceed 100 sheets of paper (excluding electromcally filed sequence or computer
`listings under 37 CFR 1.52(e)), the application size fee due is $250 ($125 for small entity) for each additional 50
`sheets or fraction thereof. See 35 U.S.C. 4lY2(l)(G) and 37 CFR 1.162.
`Total Sheets
`Extra Sheets
`Num r of each additional 50 or
`ction thereof
`-100:
`I50=
`(rounduptoawholenumber) x
`
`Fee Paid [Q]
`
`Foe |§)
`
`Foe‘Paid 1;)
`
`4. OTHER FEE(S)
`Non-English Specification,
`
`$130 fee (no small entity discomit)
`
`F§ paid (:1
`
`Other (e.g., late filingsmdmge): ___________
`
`Date 01 /5 0 5
`Thiseotlectionofinformation isrequired by 37 CFR 1.136. Theinforrnation '3 required toobtain orretaina benefit bythe publicvthulistntie (and bythe
`USPTO to prooess)an'appIiaa1ion, Confidentiality is govemed by 35 U.S.C. 122 and 37 CFR 1.14. This collection is estimated to take 30 minutes to complete.
`including gathering. preparing. and submitting the completed application form to the USPTO. Time will vary depending upon the
`case. Any comments
`onthearnountaftirneyourequire to cornpletethisforrn andIorsugges1ionsforreduu'ngtt1ishurden.shouId besenttothe Chieflrrionnation Offieer, U.S. Patent
`and Trademark Office, US. Department of Commerce, P.O. Box 1450, Alexandria, VA 22313-1450. DO NOT SEND FEES OR COMPLETED FORMS TO THIS
`
`ADDRESS. SEND TO: Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313-1450.
`Hyouneeda.w'slamemmmpIeuhgmefmm,¢2D1-800PTO-9199mdsebdopfi¢m2.
`
`2
`
`
`
`Privacy Act Statement
`
`The Privacy Act of 1914 (P.L 93-579) requires that you be given certain information in connection
`with your submission of the attached fonn related to a patent application or patent. Accordingly,
`pursuant to the requirements of the Act, please be advised that: (1) the general authority for the
`collection of this irrfomration is 35 U.S.C. 2(b)(2); (2) furnishing of the infomration solicited is voluntary;
`and (3) the principal purpose for which the infomation is used by the U.S. Patent and Trademark
`Office is to process andlor examine your submission related to a patent application or patent. If you do
`not furnish the requested infonnation, the U.S. Patent and Trademark Office may not be able to
`process andlor examine your submission, which may result in termination of proceedings or
`abandonment of the application or expiration of the patent
`
`The infonnation provided by you in this fonn will be subject to the following routine uses:
`
`1. Theinfonnation on this fonn will be treated confidentially to the extent allowed under the
`Freedom of Infomration Act (5 U.S.C. 552) and the Privacy Act (5 U.S.C 5523). Records front
`this system of records may be disclosed to the Department of Justice to determine whether
`disclosure of these records is required by the Freedom of Information Act.
`'
`A record from this system of records may be disclosed, as a routine use, in the course of
`presenting evidence to a court, magistrate, or administrative tribunal, including disclosures to
`opposing counsel in the course of settlement negotiations.
`A record in this system of records may be disclosed, as a routine use, to a Member of
`Congress submitting a request involving an individual, to whom the record pertains, when the
`individual has requested assistance from the Member with respect to the subject matter of the
`record.
`
`A record in this system of records may be disclosed. as a routine use. to a contractor of the
`Agency having need for the infomtation in order to perform a contract. Recipients of
`infomration shall be required to comply with the requirements of the Privacy Act of 1974, as
`amended, pursuant to 5 U.S.C. 552a(m).
`A record related to an lntemational Application filed under the Patent Cooperation Treaty in
`this system of records may be disclosed. as a routine use. to the lntemational Bureau of the
`World Intellectual Property Organization, pursuant to the Patent Cooperation Treaty.
`A record in this system of records rmy be disclosed, as a routine use, to another federal
`agency for purposes of National Security review (35 U.S.C. 181) and for review pursuant to
`the Atomic Energy Ad (42 U.S.C. 218(c)).
`A record from this system of records may be disclosed. as a routine use, to the Administrator,
`General Services, or hislher designee, during an inspection of records conducted by GSA as
`part of that agency's responsibility to recommend improvementsin records management
`practices and programs, under authority of 44 U.S.C. 2904 and 2906. Such disclosure shall
`be made in accordance with the GSA regulations goveming inspection of records for this
`purpose, and any other relevant (i.e., GSA or Commerce) directive. Such disclosure shall not
`be used to make determinations about individuals.
`A record from this system of records may be disclosed, as a routine use, to the public atter
`either publiration of the application pursuant to 35 U.S.C. 122(b) or issuance of a patent
`pursuant to 35 U.S.C. 151. Further, a record may be disclosed, subject to the limitations of 37
`CFR 1.14, as a routine use, to the public it the record was filed in an applirztion which
`berame abandoned or in which the proceedings were terminated and which application is
`referenced by either a published application, an application open to public inspection or an
`issued patent.
`A record from this system of records may be disclosed, as a routine use, to a Federal, State,
`or II law enforcement agency, if the USPTO becomes aware of a violation or potential
`violation of law or regulation.
`
`3
`
`
`
`Direct Authentication System and Method
`
`via Trusted Authenticators
`
`U.S. Patent Agglication of
`
`Nader Asghari-Kamrani
`
`and
`
`Kamran Asghari-Kamrani
`
`4
`
`
`
`Direct Authentication System and Method
`
`via Trusted Authenticators
`
`This application is a continuation-in-part of U.S. Patent Application No.
`
`09/940,635 filed August 31, 2001, and claims priority to U.S. Provisional
`
`Application No. 60/650,137 filed February 7, 2005.
`
`BACKGROUND OF THE INVENTION
`
`1. FIELD OF THE INVENTION
`
`The present invention generally relates to a direct authentication system
`
`and method, more particularly, to a new tvvo-factor authentication method used
`
`by a business to authenticate its customers’ identity utilizing trusted-
`
`authenticators.
`
`2. DESCRIPTION OF THE RELATED ART
`
`Fraud and Identity theft, the taking of a person’s identity for the purpose of
`
`committing a criminal act, is a growing national concern, both in terms of its affect
`
`on its victims, and its potential national security implications. Checking account
`
`fraud costs US banks USD 698 million in 2002, according to the American
`
`2of33
`
`5
`
`
`
`Bankers’ Association, while those perpetrating the fraud attempted to take USD
`
`4.3 billion in total. Identity theft costs financial institutions USD 47.6 billion in
`
`2002-2003. A report issued in September 2003 by the Federal Trade
`
`Commission estimates that almost 10 million Americans were victims of some
`
`type of identity theft within the previous year. Especially unnerving are the
`
`numerous accounts of the ordeals that victims endure as they attempt to deal
`
`with the results of this crime. They are assumed to be responsible for the debts
`
`incurred by the thief until they can demonstrate that they have been victims of
`
`fraud. They are targeted by collection agencies trying to collect on debts
`
`generated by thieves who open new accounts in their name. They have to deal
`
`with damaging information placed in their credit files as a result of the imposter’s
`
`actions. It's well known how this can happen. Fraudulent charges may be posted
`
`to someone’s checking account if the thief knows the account number and banks
`
`routing number. Identity thieves can “take over” an existing account and withdraw
`
`money, as well as change other account information such as mailing address, if
`
`the thief knows a few pieces of sensitive personal information, especially the
`
`account holder's Social Security Number (SSN). Perhaps worst of all, a thief can
`
`easily open a new account in someone else’s name by completing an application
`
`for a new credit account, using the victim’s name and SSN, but"with a different
`
`address. The credit grantor, whether it be a retailer offering instant credit
`
`accounts via their website, a telecommunications company offering a new cell
`
`phone account, a bank offering a credit card, or an auto dealership offering a
`
`new car loan, uses the information provided by the thief to obtain a credit report
`
`on the person named in the account application. if the report indicates that the
`
`person named in the application is a good credit risk, a new account will likely be
`
`opened in the victim’s name. But the victim never knows about the late and
`
`unpaid bills, until his credit is ruined.
`
`6
`
`
`
`Online Fraud happens because online businesses such as retailers
`
`assume that the person shopping online is the same person whose personal or
`
`financial information are given. Identity theft happens because creditors assume
`
`that the person filling the application is the same person whose name and
`
`personal information are used in the application, unless there is clear evidence to
`
`the contrary. A business “authenticates” a customer by matching personal and
`
`financial information provided, such as name, SSN, birth date, etc., with
`
`information contained in third party databases (indirect authentication). If there is
`
`a match on at least a few items of information, it is assumed that the person is
`
`the same person who he says he is. This assumption itself is a direct result of a
`
`belief that sensitive personal and financial information can be kept secret and out
`
`of the hands of thieves. Yet the widespread incidence of fraud and identity theft,
`
`as detailed by the personal stories of its many victims, clearly demonstrates that
`
`this notion is false. A recent paper by Prof. Daniel Solove (‘‘Identity Theft,
`
`Privacy, and the Architecture of Vulnerability”, Hastings Law Journal, Vol 54, N o.
`
`4 (2003), page 1251) of the Seton Hall Law School aptly points out that “The
`
`identity thief’s ability to so easily access and use our personal and financial data
`
`stems from an architecture that does not provide adequate security to our
`
`personal and financial information and that does not afford us with a sufficient
`
`degree of participation in the collection, dissemination, and use of that
`
`information." He further goes on to say “The problem, however, runs deeper than
`
`the public disclosure of Social Security Numbers (SSN), personal and financial
`
`information. The problem stems not only from the government’s creation of a de
`
`facto identifier and lax protection of it, but also from the private sector’s
`
`inadequate security measures in handling personal informatiorf’. “Further, identity
`
`thieves can obtain personal and financial information simply by paying a small
`
`7
`
`
`
`fee to various database companies and obtaining a detailed dossier about their
`
`victims.” There’s only a certain amount that an individual can do to prevent
`
`sensitive information from getting into the wrong hands, such as keeping a tight
`
`grip on one’s purse or wallet. Beyond that, the information is easily available to a
`
`thief in numerous other ways. It may be available through certain public records.
`
`It can be purchased from publicly available databases for a nominal fee. It can be
`
`copied from medical claims forms lying around in a doctor’s office. Other
`
`methods include breaking into various commercial databases containing
`
`sensitive information about business’s customers, many times with the help of an
`
`insider. As long as the authentication of new credit applications is based upon
`
`knowledge of a few items of personal information that are supposed to be
`
`confidential, the only way to truly prevent this type of identity theft is to keep
`
`one’s personal information out of the hands of thieves, an impossible task. This is
`
`also true in the case of identity theft involving account takeovers, in which the
`
`thief uses knowledge of personal information about the victim to obtain
`
`information needed to take over someone’s existing account.
`
`There have been many attempts to solve above issues and concerns. One
`
`being the recent paper by Prof. Lynn LoPucki of the UCLA School of Law
`
`(www.ssrn.com/abstract=263213). The paper addresses many of these
`
`concerns, and suggests an approach to the identity theft problem that addresses
`
`the fundamental flaws in the process. This approach does not depend on
`
`keeping personal information secret, asking out-of-wallet questions, or computing
`
`fraud scores based on historical data and analytical fraud models. LoPucki’s
`
`approach, which he calls the Public Identity System (PIDS), would establish a
`
`voluntary list of people concerned about identity theft, and who consent to be
`
`directly contacted for verification when someone applies for credit in their name.
`
`5of33
`
`8
`
`
`
`The list would be maintained by a government agency. An individual would
`
`voluntarily provide his/her personal information to the list, including name, SSN,
`
`and perhaps other identifying information. A thorough authentication process
`
`would ensure that new members of the list are truly the persons they claim to be.
`
`A personal appearance before the government agency that maintains the list
`
`would be required. Individuals participating in PIDS would specify one or more
`
`standardized ways that a creditor should contact them when the creditor has
`
`received a new account application in their name. Contact methods would likely
`
`be limited to a phone call, e-mail (encrypted or unencrypted), or US Mail. When a
`
`creditor receives a new account application, the creditor would consult the list to
`
`determine if the person named in the application, as identified by a SSN or other
`
`information, is a PIDS participant. If the named person is not a participant, the
`
`new account application would be processed in the usual manner. if, however,
`
`the named person is a PIDS participant, the creditor would contact the individual
`
`directly using one or more of the contact methods specified in the instructions
`
`provided by the individual.
`
`A PIDS participant may even require, under some circumstances, a
`
`personal appearance before the creditor by anyone applying for a new account in
`
`his or her name. The reason for contacting the participant would be to verify that
`
`the participant is truly the person who submitted the new account application.
`
`To significantly reduce identity theft using this approach, creditors would need to
`
`have an incentive to consult the list and follow the instructions given, and
`
`consumers would need to participate in PIDS in large numbers.
`
`Although Prof. LoPucki’s approach addresses the fundamental flaws in the
`
`credit granting process responsible for identity theft, it is time consuming for
`
`6of33
`
`9
`
`
`
`creditors to verify customer’s identity. Also, some difficulties may arise with its
`
`implementation. The list of PIDS participants, together with their Social Security
`
`Numbers and contact information, would reside on a government website, and
`
`the information would be available to the public. This would only be implemented
`
`if the laws were changed to prevent knowledge of this information alone as
`
`providing “proof” of identity, as well as preventing other types of privacy invasions
`
`that might be enabled with public access to such information. Although the legal
`
`changes would make one's personal information much less useful to an identity
`
`thief, it is not clear how comfortable people would feel about an arrangement that
`
`allows their personal information to be made public in such an overt manner. In
`
`addition, PIDS participants would also need to personally appear before the
`
`government agency managing the list. These factors may inhibit many people
`
`from participating in PIDS. Since creditors would be required to directly contact
`
`individuals named in an account application if the person’s name appears on the
`
`list, creditors may find this type of “direct authentication” process to be
`
`burdensome, especially if it involves more than a simple phone call or email. This
`
`may lead creditors to oppose PIDS. In addition, there is the question of how the
`
`creditor should authenticate the person taking the call, or responding to the
`
`email. How can the creditor be sure that the person taking the call, or responding
`
`to the email, is truly the person who joined PIDS, and who now should be queried
`
`about the credit application? Finally, the implementation of PIDS would seem to
`
`require the establishment of a new government bureaucracy to perform
`
`necessary functions such as establishing and maintaining the PIDS list, meeting
`
`with those individuals seeking to participate, verifying their identity credentials,
`
`and establishing the standardized methods by which creditors will contact and
`
`interact with PIDS participants. Of course, implementing any alternative to PIDS
`
`would also require a certain amount of up-front work to develop the necessary
`
`7of33
`
`10
`
`
`
`capabilities and infrastructures. And while it is not unreasonable for a
`
`government agency (such as a state motor vehicles bureau) to undertake at least
`
`some of these tasks, it is not clear whether any federal or state agencies would
`
`be ready and willing to fulfill the entire role.
`
`Another possible solution has been suggested to modify Prof. LoPucki’s
`
`approach (PIDS procedure) somewhat to take advantage of the existing trust
`
`relationships that individuals have already established with various organizations
`
`that they deal with. Rather than requiring creditors to authenticate applicants for
`
`new accounts by contacting them directly, these interactions could instead be
`
`performed by a “trusted authenticator.” The trusted authenticator would be an
`
`entity that already knows the individual, maintains personal information about
`
`that individual, and has established a trusted relationship with that person. The
`
`advantage of using trusted authenticators is that the authentication process can
`
`be built on trust relationships and infrastructures already in place. A reasonable
`
`candidate for such a trusted authenticator would be a bank or other financial
`
`institution with whom the individual has already established an account. After all,
`
`if most people trust a bank to handle their money and keep it safe, trusting that
`
`same bank to authenticate their identities in other financial transactions should
`
`be natural. Prof. LoPucki’s paper hints at such an arrangement in its discussion
`
`of how list members may choose to be contacted:
`
`The [e-mail] contact could be directly with the owner or through the
`
`owner’s trusted intermediary. Instead of creating a new government bureaucracy
`
`to implement PIDS, the existing infrastructures and trust relationships within the
`
`financial services community could be enhanced to more efficiently derive the
`
`same benefits that PIDS provides.
`
`11
`
`
`
`In this modified authentication procedure, a list of all individuals who
`
`choose to participate (the “participants”) would still be needed. The list would
`
`contain a name and SSN of each participant, together with the identity of their
`
`trusted authenticator. The list would be maintained by a new organization created
`
`by the financial services community specifically for this purpose, rather than by
`
`the government. However, the information on the list would not be accessible by
`
`the general public, but only by creditors and other members of the financial
`
`services community acting as trusted authenticators. The modified authentication
`
`procedure works as follows:
`
`The creditor, upon receiving a new account application, checks the list to
`
`determine if the person named in the application is a participant. If so, the
`
`creditor queries the trusted authenticator designated on the list, and requests
`
`verification that the person named in the application is actually the person filing
`
`the new account application. If the person is not a participant, the creditor will
`
`process the application in the usual way.
`
`Upon receiving a request from a creditor for direct authentication of a
`
`participant, who is also one of its customers, the trusted authenticator contacts its
`
`customer via a secure email message or phone call, as specified by the
`
`customer.
`
`When communication is established, the trusted authenticator must first
`
`determine that it is actually communicating with its customer, and not someone
`
`else who has intercepted the email or phone call.
`
`12
`
`
`
`An email would contain a link that takes the customer to an authentication
`
`screen on the trusted authenticator’s website. Here the customer would provide a
`
`password or Personal Identification Number (PIN) to authenticate himself/herself.
`
`The authentication process may also include an additional biometric factor such
`
`as a fingerprint or voiceprint. Most likely, the method of authentication used «
`
`would be the same as the customer would use for online banking, which provides
`
`access to his/her banking accounts online.
`
`A phone call would contain, at least, a request for the customer to provide
`
`a PIN or some other secret. A more secure authentication process might include
`
`an additional biometric factor, such as a voiceprint. Again, the method of
`
`authentication may be the same as the customer may use to perform telephone
`
`banking, which provides access to his/her banking accounts over the phone.
`
`Once the trusted authenticator has verified the identity of its customer, the
`
`trusted authenticator asks its customer whether he/she has filed a specific
`
`application for credit, as indicated in the creditor’s request for authentication.
`
`If the customer responds affirmatively, the trusted authenticator replies to
`
`the creditor that the application appears to be authentic. If the customer responds
`
`negatively, the bank responds to the creditor that the application appears to be
`
`fraudulent.
`
`The first problem with this solution is the fact that the trusted authenticator
`
`contacts its customer via an email message, which allows for phishing or brand
`
`spoofing. The customer could receive an email from a user falsely claiming to be
`
`the trusted authenticator in an attempt to scam the customer into surrendering
`
`private information that will be used for identity theft.
`
`l0of33
`
`13
`
`
`
`The second problem is the fact that a list of all individuals who choose to
`
`participate would still be needed. This will add to privacy and security concerns.
`
`Another problem is the fact that this authentication method lacks the real-
`
`time authentication and therefore it is not suited for online transactions.
`
`There have been many attempts to solve the online identification problems
`
`using tokens, smart cards or biometrics authentication methods, but these
`
`methods failed due to high cost and consumers’ dissatistactions:
`
`Password Generation Tokens — creates custom passwords each time they
`
`are activated. The cost of each token makes this type of two-factor authentication
`
`method suited only for enterprise spaces and not to the consumer level outside
`
`of the enterprise. Another problem with this method is that the passwords are
`
`generated using an algorithm that is based on both a unique user ID and the
`
`current time, which makes the next generated password guessable. Another
`
`drawback of this authentication method is that a consumer has to manage
`
`different tokens for different relationships.
`
`Biometrics — measure unique bodily characteristics such as fingerprint as
`
`a form of identification. Again, the cost of the devices makes this type of two-
`
`factor authentication method suited only for enterprise spaces. For privacy and
`
`security reasons, it’s not suited to consumer level authentication where biometric
`
`images need to be stored and transmitted over a public network such as the
`
`Internet for authentication (opens to theft or interception).
`
`14
`
`
`
`Smart Cards and — store information on a tiny computer chip on the card.
`
`This type of two-factor authentication method requires a reader device and
`
`therefore makes it suited only for enterprise spaces. There have been many
`
`attempts to implement this method to the consumer level, but each time it failed
`
`because consumers find it difficult to use (Hooking up smart card readers to
`
`computer systems), costly and software dependent.
`
`Smart Tokens — are technologically identical to the smart cards with the
`
`exception of their form factor and interface. Again, many attempts to implement
`
`this type of two-factor authentication method to the consumer level failed due to
`
`the same reasons: cost and consumer adoption (difficult to use and difficult to
`
`manage).
`
`In view of the foregoing, a need exists for a new and improved direct
`
`authentication system and method via trusted-authenticators that validates
`
`customers’ identity without the deficiencies and disadvantages of the prior arts,
`
`mainly the cost and consumer adoption. This new direct authentication system
`
`and method via trusted-authenticators will reduce the identity theft, fraud and
`
`customer privacy concerns, will be secure, easy to use and manage, will be
`
`inexpensive, will offer a high level assurance that an individual is who he/she
`
`claims he/she is, and will provide a real-time authentication solution that is suited
`
`for the consumer level authentication where real-time identity validation of the
`
`consumer is necessary.
`
`15
`
`
`
`SUMMARY OF THE INVENTION
`
`Briefly described, the present invention relates to a direct authentication
`
`system and method via trusted-authenticators.
`
`In this invention, direct authentication of an individual would be achieved
`
`via a new two-factor authentication method used by businesses to authenticate
`
`customers’ identity utilizing trusted-authenticators. A trusted-authenticator would
`
`be an entity that already knows the individual, maintains information about that
`
`individual, and has established a trusted relationship with that individual. A
`
`reasonable candidate for such a trusted-authenticator would be bank or other
`
`financial institution with whom the individual has already established a
`
`relationship. In this invention, the financial services community will have a
`
`leading role in implementing stronger forms of authentication for identity theft and
`
`fraud prevention.
`
`Experience shows that knowlege-based authentication, where individuals
`
`are recognized by demonstrating that they are in possession of information which
`
`only that individual would be expected to know,
`
`is an inexpensive, easy to use
`
`and easy to implement authentication method, where the authentication is
`
`beween two entities such as a banks’s customer and the bank. It relies on the
`
`secret information that is shared between these two entities. Therefore the
`
`underlying basis for this method is that only the real individual (bank’s customer)
`
`would know such identifying information. But, when it comes to direct
`
`authentication to the consumer level, where the individual needs to authenticate
`
`his/her identity to any other entities with whom the individual does not have an
`
`existing relationship, such knowledge-based authentication will not work.
`
`16
`
`
`
`Therefore, it's not secure to share the same secret information that the individual
`
`shares with one entity, with other entities for identification purposes. Such
`
`information is static and someone who happens to get access to such
`
`information could use it for authentication at other entities as well. Therefore,
`
`knowledge-based authentication is not secure for direct authentication of
`
`individuals.
`
`To eliminate the risks associated with the static nature of the knowledge-
`
`based authentication, this invention suggests combining knowledge-based
`
`authentication with a dynamic key or information maintained by the trusted-
`
`authenticator to create a new two-factor authentication. This new two-factor
`
`authentication confirms individual identities using two different credentials:
`
`a) Something the individual knows — This factor is a static key or
`
`information that the individual shares with his/her trusted-authenticator.
`
`b) Something the individual receives - This factor refers to SecureCode
`
`which is a dynamic key or information that the individual requests and
`
`receives from his or her trusted—authenticator at the time of authentication
`
`through a communication network. It is important to note that the
`
`individual’s dynamic key is an alphanumeric code and will have a different
`
`value each time the individual receives it from his/her trusted—authenticator
`
`for authentication purpose.
`
`The strength of this new method of authentication occures when
`
`combining two factors. This achieves a high level of assurance that an individual
`
`17
`
`
`
`is who he/she claims he/she is and enhances security and reduces privacy
`
`concerns.
`
`The direct authentication of an individual works as follows:
`
`When an individual is on a business’s site (offline or online), for successful
`
`direct authentication, the business requires the individual to provide his/her static
`
`and dynamic keys. The individual requests a dynamic key from his/her trusted-
`
`authenticator (using any communication network such as Internet or wireless)
`
`and provides it along with his/her static key to the business. When the business
`
`receives individua|'s static and dynamic keys, the business communicates
`
`authentication messages including individua|’s static and dynamic keys to the
`
`trusted-authenticator. The trusted-authenticator verifies individual’s identity if both
`
`static and dynamic keys are valid, othen/vise will send a denial authentication
`
`message back to the business over the same communication network.
`
`18
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Fig. 1a is a high-level overview of a direct authentication system and method
`
`according to the present invention where the business directly contacts the
`
`individual’s trusted-authenticator for validation of the individual’s identity.
`
`Fig. 1b is another high-level overview of a direct authentication system and
`
`method according to the present invention where the business contacts the
`
`individual’s trusted-authenticator through its own trusted-authenticator to validate
`
`the individual’s identity.
`
`Fig. 2a illustrates the direct authentication system and method according to the
`
`present invention where the business directly contacts the individual’s trusted-
`
`authenticator for validation of the individual’s identity.
`
`Fig. 2b illustrates the direct authentication system and method according to the
`
`present invention where the business contacts the individual's trusted-
`
`authenticator through its own trusted-authenticator to validate the individual’s
`
`identity.
`
`19
`
`
`
`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
`
`Detailed descriptions of the preferred embodiment are provided herein.
`
`It
`
`is