Direct Authentication System and Method
`
`via Trusted Authenticators
`
`U.S. Patent Application of
`
`Nader Asghari-Kamrani
`
`and
`
`Kamran Asghari-Kamrani
`
`1 of 33
`
`1/37
`
`KAMRANI 2009
`
`1/37
`
`KAMRANI 2009
`
`

`

`Direct Authentication System and Method
`
`via Trusted Authenticators
`
`This application is a continuation-in-part of U.S. Patent Application No.
`
`09/940,635filed August 31, 2001, and claimspriority to U.S. Provisional
`
`Application No. 60/650, 137 filed February 7, 2005.
`
`BACKGROUND OF THE INVENTION
`
`1. FIELD OF THE INVENTION
`
`The present invention generally relates to a direct authentication system
`
`and method, moreparticularly, to a new two-factor authentication method used
`
`by a business to authenticate its customers’ identity utilizing trusted-
`
`authenticators.
`
`2. DESCRIPTION OF THE RELATED ART
`
`Fraud and Identity theft, the taking of a person’s identity for the purpose of
`
`committing a criminal act, is a growing national concern, both in termsofits affect
`
`onits victims, and its potential national security implications. Checking account
`
`fraud costs US banks USD 698 million in 2002, according to the American
`
`2 of 33
`
`2/37
`
`KAMRANI 2009
`
`2/37
`
`KAMRANI 2009
`
`

`

`Bankers’ Association, while those perpetrating the fraud attempted to take USD
`
`4.3 billion in total. Identity theft costs financial institutions USD 47.6 billion in
`
`2002-2003. A report issued in September 2003 by the Federal Trade
`
`Commission estimates that almost 10 million Americans werevictims of some
`
`type of identity theft within the previous year. Especially unnerving are the
`numerous accountsof the ordeals that victims endure as they attempt to deal
`
`with the results of this crime. They are assumed to be responsible for the debts
`
`incurred by the thief until they can demonstrate that they have beenvictimsof
`
`fraud. They are targeted by collection agenciestrying to collect on debts
`
`generated by thieves who open newaccounts in their name. They have to deal
`
`with damaging information placedin their credit files as a result of the imposter’s
`
`actions. It’s well known howthis can happen. Fraudulent charges may be posted
`
`to someone's checking accountif the thief knows the account number and banks
`
`routing number. Identity thieves can “take over’ an existing account and withdraw
`
`money, as well as change other account information such as mailing address,if
`
`the thief knows a few pieces of sensitive personal information, especially the
`
`accountholder’s Social Security Number (SSN). Perhaps worstof all, a thief can
`
`easily open a new account in someoneelse’s name by completing an application
`
`for a new credit account, using the victim’s name and SSN, butwith a different
`
`address. Thecredit grantor, whether it be a retailer offering instant credit
`
`accountsvia their website, a telecommunications companyoffering a newcell
`
`phone account, a bank offering a credit card, or an auto dealership offering a
`
`newcar loan, uses the information provided by the thief to obtain a credit report
`
`on the person namedin the accountapplication. If the report indicates that the
`
`person namedin the application is a good credit risk, a new accountwill likely be
`
`openedin the victim’s name. But the victim never knows about the late and
`
`unpaid bills, until his credit is ruined.
`
`3 of 33
`
`3/37
`
`KAMRANI 2009
`
`3/37
`
`KAMRANI 2009
`
`

`

`Online Fraud happens because online businesses suchasretailers
`
`assumethat the person shopping online is the same person whose personal or
`
`financial information are given. Identity theft happens because creditors assume
`
`that the personfilling the application is the same person whose name and
`
`personal information are usedin the application, unless there is clear evidence to
`
`the contrary. A business “authenticates” a customer by matching personal and
`
`financial information provided, such as name, SSN, birth date, etc., with
`
`information contained in third party databases(indirect authentication). If there is
`
`a match on at least a few itemsof information, it is assumed that the personis
`
`the same person whohesaysheis. This assumptionitself is a direct result of a
`
`belief that sensitive personal and financial information can be kept secret and out
`
`of the hands of thieves. Yet the widespread incidence of fraud and identity theft,
`
`as detailed by the personalstories of its many victims, clearly demonstratesthat
`
`this notion is false. A recent paper by Prof. Daniel Solove (“Identity Theft,
`
`Privacy, and the Architecture of Vulnerability’, Hastings Law Journal, Vol 54, N o.
`
`4 (2003), page 1251) of the Seton Hall Law Schoolaptly points out that “The
`
`identity thief's ability to so easily access and use our personalandfinancial data
`
`stems from an architecture that does not provide adequate security to our
`
`personaland financial information and that does notafford us with a sufficient
`
`degree ofparticipation in the collection, dissemination, and use ofthat
`
`information.” He further goes on to say “The problem, however, runs deeperthan
`
`the public disclosure of Social Security Numbers (SSN), personal andfinancial
`
`information. The problem stems notonly from the government's creation of a de
`
`facto identifier and lax protection ofit, but also from the private sector's
`
`inadequate security measures in handling personalinformation’. “Further, identity
`
`thieves can obtain personaland financial information simply by paying a small
`
`4 of 33
`
`4/37
`
`KAMRANI 2009
`
`4/37
`
`KAMRANI 2009
`
`

`

`fee to various database companies andobtaining a detailed dossier abouttheir
`
`victims.” There’s only a certain amount that an individual can do to prevent
`
`sensitive information from getting into the wrong hands, such as keepingatight
`
`grip on one’s purseor wallet. Beyond that, the information is easily available to a
`
`thief in numerous other ways.It may be available through certain public records.
`
`It can be purchased from publicly available databases for a nominalfee. It can be
`
`copied from medical claims forms lying around in a doctor’s office. Other
`
`methodsinclude breaking into various commercial databases containing
`
`sensitive information about business’s customers, many times with the help of an
`
`insider. As long as the authentication of new credit applications is based upon
`
`knowledgeof a few items of personal information that are supposed to be
`
`confidential, the only wayto truly preventthis type of identity theft is to keep
`
`one’s personal information out of the handsof thieves, an impossible task. This is
`
`also true in the case of identity theft involving account takeovers, in which the
`
`thief uses knowledge of personal information aboutthe victim to obtain
`
`information needed to take over someone’s existing account.
`
`There have been many attempts to solve above issues and concerns. One
`
`being the recent paper by Prof. Lynn LoPucki of the UCLA School of Law
`
`(www.ssrn.com/abstract=263213). The paper addresses many of these
`
`concerns, and suggests an approachto the identity theft problem that addresses
`
`the fundamental flaws in the process. This approach does not depend on
`
`keeping personal information secret, asking out-of-wallet questions, or computing
`
`fraud scores based onhistorical data and analytical fraud models. LoPucki’s
`
`approach, which hecalls the Public Identity System (PIDS), would establish a
`
`voluntary list of people concerned aboutidentity theft, and who consentto be
`
`directly contacted for verification wnen someoneapplies for credit in their name.
`
`5 of 33
`
`5/37
`
`KAMRANI 2009
`
`5/37
`
`KAMRANI 2009
`
`

`

`Thelist would be maintained by a government agency. An individual would
`
`voluntarily provide his/her personal information to thelist, including name, SSN,
`
`and perhapsother identifying information. A thorough authentication process
`
`would ensure that new membersof thelist are truly the persons they claim to be.
`
`A personal appearance before the government agencythat maintainsthelist
`
`would be required. Individuals participating in PIDS would specify one or more
`
`standardized waysthat a creditor should contact them whenthe creditor has
`
`received a new account application in their name. Contact methods would likely
`
`be limited to a phonecall, e-mail (encrypted or unencrypted), or US Mail. When a
`
`creditor receives a new accountapplication, the creditor would consult the list to
`
`determineif the person namedin the application, as identified by a SSN or other
`
`information, is a PIDS participant. If the named personis not a participant, the
`
`new accountapplication would be processed in the usual manner.If, however,
`
`the named personis a PIDS participant, the creditor would contact the individual
`
`directly using one or more of the contact methodsspecified in the instructions
`
`provided bythe individual.
`
`A PIDS participant may even require, under somecircumstances, a
`
`personal appearance before the creditor by anyone applying for a new accountin
`
`his or her name. The reasonfor contacting the participant would beto verify that
`
`the participantis truly the person who submitted the new accountapplication.
`
`To significantly reduce identity theft using this approach, creditors would need to
`
`have an incentive to consult the list and follow the instructions given, and
`
`consumers would need to participate in PIDS in large numbers.
`
`Although Prof. LoPucki’s approach addresses the fundamentalflaws in the
`
`credit granting process responsible foridentity theft, it is time consuming for
`
`6 of 33
`
`6/37
`
`KAMRANI 2009
`
`6/37
`
`KAMRANI 2009
`
`

`

`creditors to verify customer's identity. Also, somedifficulties may arise withits
`
`implementation. Thelist of PIDS participants, together with their Social Security
`
`Numbers and contact information, would reside on a government website, and
`
`the information would be available to the public. This would only be implemented
`
`if the laws were changed to prevent knowledge of this information alone as
`
`providing “proof” of identity, as well as preventing other types of privacy invasions
`
`that might be enabled with public access to such information. Although the legal
`
`changes would make one’s personalinformation muchless useful to an identity
`
`thief, itis not clear how comfortable people would feel about an arrangementthat
`
`allows their personal information to be made public in such an overt manner. In
`
`addition, PIDS participants would also need to personally appear before the
`
`government agency managing thelist. These factors may inhibit many people
`
`from participating in PIDS. Since creditors would be required to directly contact
`
`individuals named in an accountapplication if the person’s name appears on the
`
`list, creditors mayfind this type of “direct authentication” process to be
`
`burdensome, especially if it involves more than a simple phone call or email. This
`
`may lead creditors to oppose PIDS. In addition, there is the question of how the
`
`creditor should authenticate the person taking the call, or responding to the
`
`email. How can the creditor be sure that the person taking the call, or responding
`
`to the email, is truly the person whojoined PIDS, and who now should be queried
`
`aboutthe credit application? Finally, the implementation of PIDS would seem to
`
`require the establishment of a new government bureaucracy to perform
`
`necessary functions such as establishing and maintaining the PIDSlist, meeting
`
`with those individuals seeking to participate, verifying their identity credentials,
`
`and establishing the standardized methodsby whichcreditors will contact and
`
`interact with PIDS participants. Of course, implementing any alternative to PIDS
`
`would also require a certain amountof up-front work to develop the necessary
`
`7 of 33
`
`1/37
`
`KAMRANI 2009
`
`7/37
`
`KAMRANI 2009
`
`

`

`capabilities and infrastructures. And while it is not unreasonable for a
`
`governmentagency (such asa state motor vehicles bureau) to undertake atleast
`
`someof these tasks,it is not clear whether any federal or state agencies would
`
`be ready andwilling to fulfill the entire role.
`
`Another possible solution has been suggested to modify Prof. LoPucki’s
`
`approach (PIDS procedure) somewhatto take advantageof the existing trust
`
`relationships that individuals have already established with various organizations
`
`that they deal with. Rather than requiring creditors to authenticate applicants for
`
`new accounts by contacting them directly, these interactions could instead be
`
`performedbya “trusted authenticator.” The trusted authenticator would be an
`
`entity that already knowstheindividual, maintains personal information about
`
`that individual, and has establisheda trusted relationship with that person. The
`
`advantage of using trusted authenticators is that the authentication process can
`
`be built on trust relationships and infrastructures already in place. A reasonable
`
`candidate for such a trusted authenticator would be a bank or other financial
`
`institution with whom the individual has already established an account. After all,
`
`if most people trust a bank to handle their money and keepit safe, trusting that
`
`same bank to authenticate their identities in other financial transactions should
`
`be natural. Prof. LoPucki’s paper hints at such an arrangementin its discussion
`
`of how list members may chooseto be contacted:
`
`The [e-mail] contact could be directly with the owner or through the
`
`owner's trusted intermediary. Instead of creating a new government bureaucracy
`
`to implement PIDS, the existing infrastructures and trust relationships within the
`
`financial services community could be enhanced to moreefficiently derive the
`
`same benefits that PIDS provides.
`
`8 of 33
`
`8/37
`
`KAMRANI 2009
`
`8/37
`
`KAMRANI 2009
`
`

`

`In this modified authentication procedure, a list of all individuals who
`
`choose to participate (the “participants”) would still be needed. The list would
`
`contain a name and SSN of eachparticipant, together with the identity of their
`
`trusted authenticator. The list would be maintained by a new organization created
`
`by the financial services community specifically for this purpose, rather than by
`
`the government. However, the information on the list would not be accessible by
`
`the general public, but only by creditors and other members of the financial
`
`services community acting as trusted authenticators. The modified authentication
`
`procedure worksasfollows:
`
`The creditor, upon receiving a new accountapplication, checksthelist to
`
`determine if the person namedin the application is a participant. If so, the
`
`creditor queries the trusted authenticator designated onthelist, and requests
`
`verification that the person namedin the application is actually the personfiling
`
`the new account application. If the person is not a participant, the creditorwill
`
`processthe application in the usual way.
`
`Uponreceiving a request from a creditor for direct authentication of a
`
`participant, whois also one of its customers, the trusted authenticator contactsits
`
`customer via a secure email messageor phonecall, as specified by the
`
`customer.
`
`When communication is established, the trusted authenticator mustfirst
`
`determinethat it is actually communicating with its customer, and not someone
`
`else who hasintercepted the email or phonecall.
`
`9 of 33
`
`9/37
`
`KAMRANI 2009
`
`9/37
`
`KAMRANI 2009
`
`

`

`An email would contain a link that takes the customer to an authentication
`
`screen on the trusted authenticator’s website. Here the customer would provide a
`
`password or PersonalIdentification Number (PIN) to authenticate himself/herself.
`The authentication process mayalso include an additional biometric factor such
`
`as a fingerprint or voiceprint. Mostlikely, the method of authentication used -
`
`would be the same as the customer would use for online banking, which provides
`
`accessto his/her banking accounts online.
`
`A phonecall would contain, at least, a request for the customer to provide
`
`a PIN or some other secret. A more secure authentication process might include
`
`an additional biometric factor, such as a voiceprint. Again, the method of
`
`authentication may be the sameas the customer mayuse to perform telephone
`
`banking, which provides accessto his/her banking accounts over the phone.
`
`Oncethe trusted authenticator has verified the identity of its customer, the
`
`trusted authenticator asks its customer whether he/she hasfiled a specific
`
`application for credit, as indicated in the creditor's request for authentication.
`
`If the customer respondsaffirmatively, the trusted authenticator replies to
`
`the creditor that the application appears to be authentic. If the customer responds
`
`negatively, the bank respondsto the creditor that the application appears to be
`
`fraudulent.
`
`Thefirst problem with this solution is the fact that the trusted authenticator
`
`contacts its customer via an email message, which allows for phishing or brand
`
`spoofing. The customer could receive an email from a user falsely claiming to be
`
`the trusted authenticator in an attempt to scam the customer into surrendering
`
`private information that will be used for identity theft.
`
`10 of 33
`
`10/37
`
`KAMRANI 2009
`
`10/37
`
`KAMRANI 2009
`
`

`

`The second problem is the fact that a list of all individuals who chooseto
`
`participate would still be needed. This will add to privacy and security concerns.
`
`Another problem is the fact that this authentication method lacks the real-
`
`time authentication and thereforeit is not suited for online transactions.
`
`There have been manyattempts to solve the online identification problems
`
`using tokens, smart cards or biometrics authentication methods, but these
`
`methodsfailed due to high cost and consumers’ dissatisfactions:
`
`Password Generation Tokens — creates custom passwords each time they
`
`are activated. The cost of each token makesthis type of two-factor authentication
`
`method suited only for enterprise spaces and not to the consumer level outside
`
`of the enterprise. Another problem with this method is that the passwordsare
`
`generated using an algorithm that is based on both a unique user ID and the
`
`current time, which makes the next generated password guessable. Another
`
`drawbackof this authentication method is that a consumer has to manage
`
`different tokensfor different relationships.
`
`Biometrics — measure unique bodily characteristics such as fingerprint as
`
`a form of identification. Again, the cost of the devices makesthis type of two-
`
`factor authentication method suited only for enterprise spaces. For privacy and
`
`security reasons, it’s not suited to consumer level authentication where biometric
`
`images need to be stored and transmitted over a public network suchas the
`
`Internet for authentication (opensto theft or interception).
`
`11 of 33
`
`11/37
`
`KAMRANI 2009
`
`11/37
`
`KAMRANI 2009
`
`

`

`Smart Cards and — store information on a tiny computer chip on the card.
`
`This type of two-factor authentication method requires a reader device and
`
`therefore makesit suited only for enterprise spaces. There have been many
`
`attempts to implement this method to the consumer level, but each timeit failed
`
`because consumersfind it difficult to use (Hooking up smart card readers to
`
`computer systems), costly and software dependent.
`
`Smart Tokens — are technologically identical to the smart cards with the
`
`exception of their form factor and interface. Again, many attempts to implement
`
`this type of two-factor authentication method to the consumer levelfailed due to
`
`the same reasons: cost and consumer adoption (difficult to use and difficult to
`
`manage).
`
`In view of the foregoing, a need exists for a new and improveddirect
`
`authentication system and method via trusted-authenticators that validates
`
`customers’ identity without the deficiencies and disadvantagesofthe prior arts,
`
`mainly the cost and consumer adoption. This new direct authentication system
`
`and methodvia trusted-authenticators will reduce the identity theft, fraud and
`
`customer privacy concerns, will be secure, easy to use and manage, will be
`
`inexpensive, will offer a high level assurance that an individual is who he/she
`
`claims he/sheis, and will provide a real-time authentication solution that is suited
`
`for the consumerlevel authentication wherereal-time identity validation of the
`
`consumer is necessary.
`
`12 of 33
`
`12/37
`
`KAMRANI 2009
`
`12/37
`
`KAMRANI 2009
`
`

`

`SUMMARYOF THE INVENTION
`
`Briefly described, the present invention relates to a direct authentication
`
`system and methodvia trusted-authenticators.
`
`In this invention, direct authentication of an individual would be achieved
`
`via a new two-factor authentication method used by businessesto authenticate
`
`customers’identity utilizing trusted-authenticators. A trusted-authenticator would
`
`be an entity that already knowstheindividual, maintains information about that
`
`individual, and has established a trusted relationship with that individual. A
`
`reasonable candidate for such a trusted-authenticator would be bankor other
`
`financial institution with whom the individual has already established a
`
`relationship. In this invention, the financial services community will have a
`
`leading role in implementing stronger forms of authentication for identity theft and
`
`fraud prevention.
`
`Experience showsthat knowlege-based authentication, where individuals
`
`are recognized by demonstrating that they are in possession of information which
`
`only that individual would be expected to know,
`
`is an inexpensive, easy to use
`
`and easy to implement authentication method, where the authenticationis
`
`beween twoentities such as a banks’s customer and the bank. It relies on the
`
`secret information that is shared between these twoentities. Therefore the
`
`underlying basis for this methodis that only the real individual (bank’s customer)
`
`would knowsuchidentifying information. But, when it comesto direct
`
`authentication to the consumer level, where the individual needs to authenticate
`
`his/her identity to any other entities with whom the individual does not have an
`
`existing relationship, such knowledge-based authentication will not work.
`
`13 of 33
`
`13/37
`
`KAMRANI 2009
`
`13/37
`
`KAMRANI 2009
`
`

`

`Therefore, it’s not secure to share the same secret information that the individual
`
`shares with one entity, with other entities for identification purposes. Such
`
`information is static and someone who happensto get access to such
`
`information could use it for authentication at other entities as well. Therefore,
`
`knowledge-based authentication is not secure for direct authentication of
`
`individuals.
`
`To eliminate the risks associated with the static nature of the knowledge-
`
`based authentication, this invention suggests combining knowledge-based
`
`authentication with a dynamic key or information maintained by the trusted-
`
`authenticator to create a new two-factor authentication. This new two-factor
`
`authentication confirms individual identities using two different credentials:
`
`a) Something the individual knows — This factor is a static key or
`
`information that the individual shares with his/her trusted-authenticator.
`
`b) Something the individual receives — This factor refers to SecureCode
`
`whichis a dynamic key orinformation that the individual requests and
`
`receives from his or her trusted-authenticator at the time of authentication
`
`through a communication network.It is important to note that the
`
`individual's dynamic keyis an alphanumeric code and will have a different
`
`value each time the individual receivesit from his/her trusted-authenticator
`
`for authentication purpose.
`
`Thestrength of this new method of authentication occures when
`
`combining twofactors. This achieves a high level of assurance that an individual
`
`14 of 33
`
`14/37
`
`KAMRANI 2009
`
`14/37
`
`KAMRANI 2009
`
`

`

`is who he/she claims he/she is and enhances security and reduces privacy
`
`concerns.
`
`The direct authentication of an individual works asfollows:
`
`Whenanindividual is on a business’ssite (offline or online), for successful
`
`direct authentication, the business requires the individual to provide his/her static
`
`and dynamic keys. The individual requests a dynamic key from his/her trusted-
`
`authenticator (using any communication network suchas Internet or wireless)
`
`and providesit along with his/her static key to the business. When the business
`
`receives individual’s static and dynamic keys, the business communicates
`
`authentication messagesincluding individual’s static and dynamic keys to the
`
`trusted-authenticator. The trusted-authenticator verifies individual's identity if both
`
`static and dynamic keys are valid, otherwise will send a denial authentication
`
`message backto the business over the same communication network.
`
`15 of 33
`
`15/37
`
`KAMRANI 2009
`
`15/37
`
`KAMRANI 2009
`
`

`

`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Fig. 1a is a high-level overview of a direct authentication system and method
`
`according to the present invention where the business directly contacts the
`
`individual’s trusted-authenticatorfor validation of the individual’s identity.
`
`Fig. 1b is another high-level overview of a direct authentication system and
`
`method according to the present invention where the business contacts the
`
`individual’s trusted-authenticator through its own trusted-authenticator to validate
`
`the individual’s identity.
`
`Fig. 2aillustrates the direct authentication system and method according to the
`
`present invention where the businessdirectly contacts the individual’s trusted-
`
`authenticator for validation of the individual's identity.
`
`Fig. 2billustrates the direct authentication system and method according to the
`
`present invention where the business contacts the individual’s trusted-
`
`authenticator through its own trusted-authenticator to validate the individual's
`
`identity.
`
`16 of 33
`
`16/37
`
`KAMRANI 2009
`
`16/37
`
`KAMRANI 2009
`
`

`

`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
`
`Detailed descriptions of the preferred embodiment are provided herein.
`
`It
`
`is to be understood, however, that the present invention may be embodied in
`
`various forms. Therefore, specific details disclosed herein are not to be
`
`interpreted as limiting, but rather as a basis for the claims and as a
`
`representative basis for teaching oneskilled in the art to employ the present
`
`inventionin virtually any appropriately detailed system, structure or manner.
`
`Furthermore, as used herein, “individual” 10 broadly refers to a person,
`
`companyor organization that has established a trusted relationship with a
`
`trusted-authenticator 30.
`
`Furthermore, as used herein, “business” 20 broadly refers to a company
`
`or organization (online oroffline) that has established a trusted relationship with a
`
`trusted-authenticator 40 and that needs to authenticate the identity of the
`
`individual 10.
`
`The use of “trusted-authenticator” 30 refers to an entity that already knows
`
`the individual 10, maintains information about that individual 10, and has
`
`established a trusted relationship with that individual 10. A reasonable candidate
`
`for such a trusted-authenticator 30 would be a bank orother financial institution.
`
`The use of “trusted-authenticator’ 40 refers to an entity that already knows
`the business 20, maintainsinformation aboutthat business 20, and has
`
`established a trusted relationship with that business 20. A reasonable candidate
`
`for such a trusted-authenticator 40 would be a bank orother financial institution.
`
`17 of 33
`
`17/37
`
`KAMRANI 2009
`
`17/37
`
`KAMRANI 2009
`
`

`

`The use of "static key" refers to pre-shared information between both the
`
`individual 10 and individual’s trusted-authenticator 30. The static key of an
`
`individual 10 is fixed information that does not change automatically and is used
`for authentication purposes. A static key might be any identification phrases such
`
`as password, name, UserName, SSN, alias, account number, customer number,
`
`etc or the combination of this information.
`
`The use of “dynamic key” refers to SecureCodewhichis a key or
`
`information that is variable and is provided to the individual 10 by the individual's
`
`trusted-authenticator 30 at the time it is needed for authentication. The dynamic
`
`key is an alphanumeric code and will have a different value each time the
`
`individual 10 receivesit from his/her trusted-authenticator 30 for authentication
`
`purposes. To increase security a dynamic key may have a non-repeating value,
`
`may be time dependent(valid for some period of time) and may bein an
`
`encrypted format.
`
`The use of “communication network”50 refers to any public or private
`
`network, wired or wireless (including cellular) network that exist between
`
`individuals 10, trusted-authenticators 30, 40 and businesses 20 for
`
`communication.
`
`The use of “face-to-face communication” 80 refers to a situation when the
`
`“communication network’ 50 is not required. Meaning that the individual 10 is
`
`physically at the location of the business 20 to communicate with the business.
`
`18 of 33
`
`18/37
`
`KAMRANI 2009
`
`18/37
`
`KAMRANI 2009
`
`

`

`The use of “authentication message”refers to a message that businesses
`
`20, and trusted-authenticators 30, 40 send and receiveto validate individual’s
`
`identity. An authentication message mayinclude individual's static and dynamic
`
`keys and any other information.
`
`With reference to Fig.1a and Fig. 1b, a direct authentication system 1-1,
`
`1-2 in accordancewith the presentinventionisillustrated. The system 1-1 in Fig.
`
`1a, includes at least one individual 10, one individual's trusted-authenticator 30,
`
`one business 20 and communication network 50. The system 1-2 in Fig. 1b,
`
`includes at least one individual 10, one individual’s trusted-authenticator 30, one
`
`business 20, one business’s trusted-authenticator 40 and communication
`
`network 50.
`
`The business 20 needs to authenticate the identity of the individual 10
`
`utilizing either the individual's trusted-authenticator 30 orits own trusted-
`
`authenticator 40.
`
`Specifically, when the business 20 desires to validate the individual's 10
`
`identity, the individual 10 is required by the business 20 to provide his/her static
`
`and dynamic keys.A static key is something the individual 10 knowsandis a
`
`shared secret between theindividual and the individual's trusted-authenticator
`
`30. A dynamic key refers to SecureCode which is an alphanumeric code the
`
`individual 10 receives from his/her trusted-authenticator 30 at the time of
`
`authentication through a communication network 50. Each time an individual 10
`
`receives a dynamic key from his/her trusted-authenticator 30, the dynamic key
`
`has a different value.
`
`19 of 33
`
`19/37
`
`KAMRANI 2009
`
`19/37
`
`KAMRANI 2009
`
`

`

`In accordancewith the first embodiment of the present invention Fig.1a,
`
`the business 20 might directly communicate authentication messages with the
`
`individual’s trusted-authenticator 30 and request the individual’s trusted-
`
`authenticator 30 to validate the individual's 10 identity. An example would be a
`creditor 20 who receives customer's 10 static and dynamic keys and directly
`
`communicates authentication messages with the customer’s bank 30 to validate
`
`the customer's 10 identity.
`
`In accordance with the second embodimentof the present invention Fig.
`
`1b, the business 20 might communicate authentication messageswith its own
`
`trusted-authenticator 40 and request its own trusted-authenticator 40 to validate
`
`the individual’s 10 identity by communicating authentication messages with the
`
`individual’s trusted-authenticator 30. An example would be an online merchant
`
`20 whoreceives customer’s 10 static and dynamic keys and communicates
`
`authentication messages with the merchant's bank 40. The merchant’s bank 40
`
`validates the customer's 10 identity by communicating authentication messages
`
`with the customer’s bank 30.
`
`Fig. 2aillustrates the direct authentication method 2-1 in accordance with
`
`the first embodimentof the present invention. For two-factor authentication of an
`
`individual, the business 20 requests 110 the individual 10 to provide static and
`
`dynamic keys for validation of his/her identity. The individual 10 has already
`
`his/her static key (not shown). If the individual 10 does not owna valid dynamic
`
`key, the individual 10 requests it 100 from his/her trusted-authenticator 30 by
`
`communicating over a communication network 50.
`
`20 of 33
`
`20/37
`
`KAMRANI 2009
`
`20/37
`
`KAMRANI 2009
`
`

`

`In responseto the individual’s request 100, the trusted-authenticator 30
`
`calculates and sends 102 a dynamic keyto the individual 10 over a
`
`communication network 50. The trusted-authenticator 30 maintains both the
`
`static and dynamic keys in association with the authentication transaction.
`
`Uponreceipt of the dynamic key, the individual 10 provides the static key
`
`and the dynamic key to the business 20, 112 for validation of his/her 10 identity.
`
`Upon receipt of the individual's 10 static and dynamic keys, the business
`
`20 constructs an authentication messageincluding the individual’s 10 keys and
`
`