`
`of Financial Institutions
`
`U.S. Patent Application of:
`
`Nader Asghari-Kamrani ;
`
`and
`
`Kamran Asghari-Kamrani.
`
`1of41
`
`1
`
`USAA 1014
`
`1
`
`USAA 1014
`
`
`
`Direct Authentication and Authorization System and Method for Trusted Network
`
`of Financial Institutions
`
`CROSS-REFERENCE TO RELATED APPLICATIONS
`
`This application is a continuation in part of and claims priority to U.S. patent
`
`application Serial No. 09/940,635 filed August 29, 2001. This application also
`
`claims priority to U.S. provisional patent application Serial No. 60/615,603 filed
`
`October 5, 2004.
`
`BACKGROUND OF THE INVENTION
`
`1. FIELD OF THE INVENTION
`
`The present invention generally relates to a direct authentication and
`
`authorization system and method for trusted network of financial
`
`institutions
`
`allowing them to directly authenticate their customers and receive their
`
`2 of41
`
`2
`
`
`
`authorization of financial transactions over a communication network such as the
`
`lntemet. More specifically, the present invention is based on a new identification
`
`and authentication scheme as digital identity that enables financial institutions to
`
`directly authenticate their account owners and/or receive their authorization of
`
`financial transactions over a communication network such as the Internet.
`
`2. BACKGROUND OF THE INVENTION
`
`Vifith the advent of the Internet, the number of online financial transactions
`
`has increased dramatically. V\fith this increase, concerns for the security of the
`
`financial transactions, proof of authorization for such transactions, and the need
`
`for direct authentication of the parties to these transactions have also risen.
`
`Therefore the Internet is more than just a different delivery channel for online
`
`financial transactions. There are two unique characteristics of the Internet that
`
`require special considerations:
`
`- The anonymity of the Internet creates an environment in which parties are not
`
`certain with whom they are doing business, which poses unique opportunities
`
`for fraud
`
`- The lntemet is an open network, which requires special security procedures
`
`to be deployed to prevent unauthorized access to the consumer financial
`
`information
`
`These unique characteristics of the Internet needed to be addressed by
`
`financial institutions in order to maintain their dominance in the payment arena.
`
`3of41
`
`3
`
`
`
`Today, any authentication over a communication network such as the lntemet is an
`
`indirect authentication. Meaning, customers provide confidential, personal and
`
`financial information,
`
`in the form of social security numbers, names, addresses,
`
`credit card and bank account numbers, and businesses verify this information by
`
`accessing external databases. This type of authentication is not sufficient to truly
`
`identify the identity of customers and tell whether the customer is the actual
`
`account owner. This is why financial institutions have limited their online interbank
`
`and intrabank service offerings.
`
`For example,
`
`today,
`
`the financial
`
`institutions
`
`require their account owners to do their interbank funds transfer at a branch
`
`office and send a physical check to the receiver of the funds for payment, both of
`
`which are inconvenient and burdensome to corporate and individual customers.
`
`NACHA (National Clearing House Association) operating rules and federal
`
`government regulations also require financial
`
`institutions to authenticate their
`
`customers’
`
`identity and receive their authorization for any type of financial
`
`transaction such as payment or funds transfer over the Internet. In the physical
`
`world, financial transactions are authorized by the account owners in writing and
`
`signed or
`
`similarly authenticated.
`
`in the online world however,
`
`financial
`
`institutions do not have any solution to meet these requirements. An electronic
`
`authorization for an online transaction should be authenticated by a method that
`
`1) identifies the customer (account owner), and 2) manifests the assent of the
`
`customer to the authorization. Therefore, financial institutions must use a method
`
`that provides the same assurance as a signature in the physical world (a
`
`4 of41
`
`4
`
`
`
`signature both uniquely identifies a person and evidences his assent to an
`
`agreement). These objectives should be met by whatever method or process a
`
`financial
`
`institution
`
`employs when obtaining
`
`a
`
`customers’
`
`authorization
`
`electronically.
`
`When dealing with customers over any communication network such as
`
`the Internet, financial institutions are facing numerous challenges:
`
`- Be able to identify the identity of the customers;
`
`- Be able to obtain transaction authorization from customers over the
`
`Internet;
`
`- Be able to confirm that the customer is the account owner and is
`
`authorized to use such account
`
`Financial institutions must meet these challenges in order to expand their
`
`online service offerings (interbank and intrabank) and maintain their dominance
`
`in the market. But lack of identification and real-time account verification methods
`
`have prevented financial institutions to achieve their goals.
`
`Today, there are three different identification and authentication schemes
`
`in the market:
`
`- Knowledge-based, which involve allowing access according to what a user
`
`knows;
`
`5 of41
`
`5
`
`
`
`-
`
`token-based, which involve allowing access according to what a user
`
`possesses;
`
`-
`
`biometrics-based, which involve allowing access according to what the user
`
`is.
`
`Due to various problems the current authentication schemes have, financial
`
`insfitutions have not been able to successfully use these technologies to perform
`
`direct authentication and authorization of
`
`their customers. Passwords are
`
`inexpensive and easy to use, but the static nature of passwords, makes them
`
`vulnerable for replay attacks. Another drawback of passwords is that online banking
`
`password cannot be used for identification and verification of financial account at
`
`the third party web sites. Biometrics can also be useful for user identification, but
`
`one problem with these schemes is the difficult tradeoff between imposter pass
`
`rate and false alarm rate. In addition, many biometric systems require specialized
`
`devices, which may be expensive. Token-based schemes are problematic as
`
`well. These are expensive to implement and require users to install special
`
`devices and software. Most
`
`token-based authentication systems also use
`
`knowledge-based authentication to prevent impersonation through theft or loss of
`
`the token.
`
`National Clearing House Association (NACHA) and several
`
`financial
`
`institutions such as \fisa and MasterCard have also attempted to develop
`
`authentication systems and methods, such as ISAP (lntemet Secure ATM
`
`6of41
`
`6
`
`
`
`Payments) and SET (Secure Electronic Transaction) using smart card technology,
`
`but due to aforementioned smart card problems they failed to achieve customer
`
`acceptance. Therefore,
`
`they are now experimenting new password based
`
`programs such as VPAS (Visa Payer Authentication Service) and UCAF
`
`(MasterCard Payer Authentication Service) to allow registered cardholders to
`
`verify their purchases,
`
`a process known as payer authentication, but
`
`unfortunately these have abovementioned password issues and are specific to
`
`credit card transactions and do not apply to bank account transactions. it is also
`
`very difficult for a customer to manage. Owning N different credit cards requires
`
`recalling N different passwords for payment at checkout. According to a survey
`
`from Jupiter Media Metrix (epaynews.com, Feb. 21 2002), these systems and
`
`methods are also complicating the picture for consumers, who are worried by the
`
`mix of identification and authentication schemes.
`
`As for the financial account ownership verification, currently,
`
`there are
`
`several companies that are attempting to bring systems and methods for verifying
`
`account ownership, such as Paypal (EBAY) and CashEdge.
`
`Paypal
`
`introduces
`
`a
`
`system that
`
`initiates one or more verifying
`
`transactions using financial account information given by the customer. Selected
`
`details of the transaction(s) are saved, particularly details that may vary from one
`
`transaction to another. Such variable details may include the number of
`
`transactions performed, the amount of a transaction, the type of transaction (e.
`
`7of41
`
`7
`
`
`
`g., credit, debit, deposit, withdrawal), the merchant name or account used by the
`
`system for the transaction, etc. The customer then retrieves evidence of the
`
`transaction(s) from his or her financial
`
`institution, which may be accomplished
`
`on-line, by telephone,
`
`in a monthly statement, etc., and submits the requested
`
`details to the Paypal system. The submitted details are compared to the stored
`
`details and, if they match, the account ownership is verified and the customer is
`
`then allowed to use the financial account. There are many drawbacks associated
`
`with the Paypal’s system, including:
`
`— No real-time account verification:
`
`It takes 2 to 3 days to verify customer's
`
`financial account
`
`- High cost: Paypal suggests sending two deposits (credits) to the user’s
`
`financial account, each of which is less than $0.99 in value.
`
`— Weak account verification: An unauthorized individual who has access to the
`
`details about verifying transactions would be verified as the account owner.
`
`CashEdge's system requires the customer to provide bank account
`
`information along with the username and password of the online banking web
`
`site that the customer is using to access his/her bank account. The system then
`
`applies the customer's usemame and password to login to the online banking
`
`system for verification of the account ownership, The drawback of CashEdge
`
`system includes:
`
`8of41
`
`8
`
`
`
`Security and Privacy Concerns: Requesting the customer to provide the
`
`online banking username and password to CashEdge raises customers’
`
`security and privacy concerns.
`
`Weak account verification: An unauthorized individual who has access to the
`
`customer’s username and password would be verified as the account owner.
`
`Fraud Risk: Vlfithout CashEdge’s system, a fraudster who has access to
`
`customers online banking username and password,
`
`is not able to transfer
`
`funds from the customer’s account, but CashEdge system provides this
`
`opportunity to an unauthorized individual to commit fraud.
`
`Financial
`
`institutions need a system that eliminates the aforementioned
`
`problems and concerns by:
`
`verifying customers’ identity
`
`verifying account ownerships in real-time
`
`providing prove of transaction authorization
`
`being secure, inexpensive and easy to use
`
`not
`
`requiring financial
`
`institutions to change their existing systems and
`
`processes
`
`covering bank account as well as credit card transactions
`
`For convenience, the term "customer" is used throughout to represent a
`
`financial institution's individual or corporate customer.
`
`9of41
`
`9
`
`
`
`The tenn “financial institution” is used herein to denote any institution such
`
`as bank, credit card issuer, brokerage finn, debit card or credit card Company such
`
`as \fIsa, Master card, and AMEX or any other company that offers, financial
`
`services.
`
`The tenn “financial account” is used herein to denote any bank account,
`
`brokerage account, debit card and credit card account.
`
`The term “account ownership verification” is used herein to denote the
`
`process of verifying that the financial account belongs to the customer and the
`
`customer is authorized to use such financial account
`
`,The term “communication network” is used herein to denote any private,
`
`wireless or public network such as Internet.
`
`The term “indirect
`
`authentication”
`
`is used herein to denote
`
`any
`
`authentication method that authenticates the customers based on customers’
`
`infomiation. Meaning, customers provide confidential, personal and financial
`
`information,
`
`in the fonn of social security numbers, names, addresses, credit
`
`card and bank account numbers, and businesses verify this information by
`
`accessing external databases.
`
`10 0f41
`
`10
`
`10
`
`
`
`The tenn “direct authentication" is used herein to denote any authentication
`
`method that authenticates the customers based on customers‘ credentials such as
`
`biometric data or smart card.
`
`The term “funds transfer network” is used herein to denote any- network that
`
`financial institutions use to transfer funds, such as ACH, Fed wire, \fisa network.
`
`The term “interbank funds transfer" is used herein to denote account-to-
`
`account funds transfer between accounts at different financial institutions.
`
`The tenn “debit pull” is used herein to denote the way electronic payments
`
`and funds transfer are authorized and executed, where the receiver of funds is
`
`asking customers financial institution to debit the customer’s account.
`
`The term “credit push" is used herein to denote the way electronic payments
`
`and funds transfer are authorized and executed, where the customer instructs
`
`his/her financial
`
`institution to credit the account of the receiver (e.g. merchant
`
`account).
`
`The tenn “digital
`
`identity” is used herein to denote a dynamic, non-
`
`predictable and time dependent alphanumeric code, or any other key, which may
`
`be given by customer's financial institution to the customer over a communication
`
`network such as the Internet, and may be valid for one-time use. The customer's
`
`11 of41
`
`11
`
`11
`
`
`
`digital identity is used for identification, authentication and authorization purposes
`
`for processing transactions over the communication network. Digital identity is
`
`calculated using a proprietary algorithm that may include any other customer
`
`and/or transaction specific infonnation to make the digital identity customer and
`
`transaction specific.
`
`The term “identity authority” is used herein to denote any entity that offers
`
`direct authentication services to other businesses. Identity authority issues and
`
`manages the digital identity.
`
`The term “Digital Identity System" is used herein to denote the system that
`
`deals with the calculation,
`
`transformation and validation of the digital
`
`identity
`
`using a proprietary algorithm.
`
`The term "Digital ldentity Network" is used herein to denote the trusted
`
`network between financial institutions using any communication network such as
`
`the lntemet. The Digital Identity Network enables the communication between
`
`financial
`
`institutions
`
`to send and receive Digital
`
`Identity Messages
`
`for
`
`identification and authentication of account owners and authorization of financial
`
`transactions.
`
`12 of41
`
`12
`
`12
`
`
`
`The term “Digital Identity Message” is used herein to denote the message
`
`sent or received over the Digital Identity Network that may include customer’s
`
`digital identity and transaction information.
`
`13 of41
`
`13
`
`13
`
`
`
`SUMMARY OF THE INVENTION
`
`The present invention provides solution to the aforementioned problems
`
`and the challenges the financial
`
`institutions face today. The present invention
`
`relates to a direct authentication and authorization system and method for trusted
`
`network of financial
`
`institutions allowing them to directly authenticate their
`
`customers
`
`and
`
`receive
`
`their
`
`authorization of financial or non-financial
`
`transactions over a communication network such as the Internet.
`
`To overcome the drawbacks of the known systems and methods discussed
`
`above, the present invention is based on a new identification and authentication
`
`method as digital
`
`identity. The new digital
`
`identity-based identification and
`
`authentication system and method:
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`verifies customers’ identity
`
`verifies account ownerships in real-time
`
`provides prove of transaction authorization
`
`reduces the risk of fraud and identity theft
`
`is secure, inexpensive and easy to use
`
`does not require financial
`processes
`
`institutions to change their existing systems and
`T
`
`-
`
`could be utilized for bank account as well as credit card transactions
`
`14 of41
`
`14
`
`14
`
`
`
`The digital
`
`identity is an alphanumeric code and unlike password,
`
`biometric and smart card, the digital identity may be valid for one time use and is
`
`dynamic, non-predictable and may be time dependent, which is calculated using
`
`a proprietary algorithm that may include other customer’s specific information,
`
`which makes the digital
`
`identity customer specific. Thus,
`
`it
`
`is impossible to
`
`calculate the same digital
`
`identity for two different customers or two different
`
`customers receive the same digital identity. Therefore, the digital identity offers
`
`the benefits of a password, biometric and smart card, without their disadvantages.
`
`It's as easy to use as password and as secure as biometric and smart card.
`
`This invention comprises of Digital
`
`identity System and Digital Identity
`
`Network. The Digital Identity System deals with the calculation, transformation
`
`and validation of the digital identity. The Digital Identity Network is the trusted
`
`network between financial institutions that enables the communication between
`
`financial
`
`institutions
`
`to send and receive Digital
`
`Identity Messages
`
`for
`
`identification and authentication of account owners and authorization of financial
`
`or non-financial
`
`transactions. The Digital
`
`Identity Message may include
`
`customer’s digital identity and transaction infonnation.
`
`Direct authentication and authorization system and method according to
`
`the present invention may include the following participants:
`
`15 of41
`
`15
`
`15
`
`
`
`Originator ~ the Originator is the individual or corporate customer of the
`
`Participating Financial Institution (PFI). The Originator receives a new digital
`
`identity from its Participating Financial
`
`Institution (PFI) each time the
`
`Originator desires to initiate and authorize any non-financial or financial
`
`transaction such as payment or funds transfer. The Originator provides the
`
`digital
`
`identity to the Receiver
`
`for
`
`identification, authentication and/or
`
`authorization of the transaction.
`
`Receiver: Receiver is the individual or corporate customer of the Participating
`
`Financial
`
`Institution (PFI)
`
`that
`
`receives Originator’s digital
`
`identity for
`
`identification, authentication and/or authorization of
`
`the non-financial or
`
`financial transaction such as payment or funds transfer.
`
`PFI — the Participating Financial Institution is the financial institution that has
`
`an existing relationship with Originators and/or Receivers and offers services
`
`to the Originators and/or Receivers. When a PFI serves Originators, the PFI
`
`is acting as an Originating Participating Financial Institution (OPFI) and when
`
`a PFI serves Receivers the PFI
`
`is acting as a Receiving Participating
`
`Financial
`
`Institution (RPFI). A Participating Financial
`
`Institution (PFI) may
`
`participate in the Digital Identity Network as an OPFI as well as a RPFI.
`
`DID Operator - the Digital Identity Operator is the digital identity authority that
`
`provides digital identity-based authentication and authorization services to the
`
`Participating Financial
`
`Institutions (PFls) by maintaining, operating and
`
`managing the Digital Identity System and Network. Each time the Originator
`
`desires to initiate and authorize any non-financial or financial transaction such
`
`16 of41
`
`16
`
`16
`
`
`
`as payment or funds transfer,
`
`its Participating Financial Institutions (OPFI)
`
`requests the DID Operator to calculate a new digital
`
`identity for
`
`that
`
`Originator.
`
`Financial
`
`institutions need to become the Digital
`
`Identity Network
`
`participants to perform identification and authentication of their customers and/or
`
`receive their authorization of transactions.
`
`This invention enables financial institutions and their business customers
`
`to perform identification and authentication of their customers and/or to manifest
`
`their assent to the authorization of transactions. The customer's digital identity,
`
`which has been provided to that customer by the customer’s financial institution,
`
`is issued and used at the time when third parties (e.g. merchant , billers) or other
`
`Participating Financial Institution needs to authenticate the customer’s identity,
`
`verify the account ownership and/or receive the customer’s authorization for the
`
`financial or non-financial
`
`transaction. Participating Financial Institutions issue
`
`digital identities to their account holders and validate digital identities issued by
`
`other Participating Financial Institutions in real time. Using Digital Identity System
`
`and Network, financial institutions can establish an environment in which parties
`
`to a transaction can reliably verify the electronic identities of customers, engage
`
`in legally binding agreements, and maintain auditable electronic information
`
`trails. The resulting high level of security and trust enables financial institutions to
`
`better serve the customers by enhancing their online service offerings.
`
`17 of41
`
`17
`
`17
`
`
`
`This invention enables financial
`
`institutions to enhance security and
`
`reduce fraud by identifying their customers and account holders. This will allow
`
`them to provide various services to their customers. As an example, the invention
`
`may be used in interbank funds transfer transactions to perform identification and
`
`authentication, receive customers’ authorization and verify account ownership.
`
`As another example, the invention may be used in online payment transactions
`
`to perform identification and authentication of customers, receive customers’
`
`authorization, obtain payments and receive account ownership verification.
`
`As another example,
`
`the invention may be used in identity verification
`
`service offered by financial
`
`institutions to provide customer identification in e-
`
`commerce.
`
`This invention relates to a system and method for verification of customers’
`
`identity over a communication network such as the Internet.
`
`Accordingly,
`
`it is a principal objective of the invention to perform account
`
`ownership verification in real-time over a communication network such as the
`
`lntemet.
`
`18 of41
`
`18
`
`18
`
`
`
`It is another objective of the invention to allow all parties involved in a
`
`transaction to give and receive transaction author1'zation over a communication
`
`network such as the Internet.
`
`It is another objective of the invention to provide a direct authentication
`
`and authorization system and method that is secure, inexpensive, easy to use and
`
`offers privacy to the financial institutions customers.
`
`It is another objective of the invention to_ provide a direct authentication
`
`and authorization system and method that does not require financial institutions to
`
`change their existing systems.
`
`It is another objective of the invention to provide a direct authentication
`
`and authorization system and method that is independent from any financial
`
`institution and applies to various types of financial accounts.
`
`jlt is another objective of the invention to reduce fraud and identity theft
`
`and increase security.
`
`It is another objective of the invention to build a circle of trust between
`
`customers, financial institutions, and businesses in e-commerce.
`
`19 of41
`
`19
`
`19
`
`
`
`It is another objective of the invention to enable financial institutions to
`
`become the identity authority.
`
`These and other objects of the present invention will become readily
`
`apparent upon further review of the following specification and drawings.
`
`20 of41
`
`20
`
`20
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Fig. 1 is a high-level overview of a direct authentication and authorization system
`
`and method for trusted network of financial institutions according to the present
`
`invention.
`
`Fig. 2 is a high-level overview of Digital Identity System and Digital Identity
`
`Network in a direct authentication and authorization system and method
`
`according to the present invention.
`
`Fig. 3 illustrates the participants of direct authentication and authorization system
`
`and method according to the present invention.
`
`Fig. 4 illustrates
`
`financial
`
`institutions
`
`utilizing direct authentication and
`
`authorization system and method to process an interbank funds transfer
`
`transaction according to the present invention.
`
`Fig. 5, 6, 7 are block diagrams illustrating the process flow of financial institutions
`
`utilizing direct authentication and authorization system and method to process an
`
`interbank funds transfer transaction according to the present invention.
`
`21 of 41
`
`21
`
`21
`
`
`
`Fig.
`
`8 illustrates
`
`financial
`
`institutions
`
`utilizing direct authentication and
`
`authorization system and method to process an online payment transaction
`
`according to the present invention.
`
`Fig. 9, 10, 11 are block diagrams illustrating the process flow of financial
`
`institutions utilizing direct authentication and authorization system and method to
`
`process an online payment transaction according to the present invention..
`
`22 0f41
`
`22
`
`22
`
`
`
`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
`
`Detailed descriptions of the preferred embodiment are provided herein.
`
`It
`
`is to be understood, however, that the present invention may be embodied in
`
`various forms.
`
`Therefore, specific details disclosed herein are not
`
`to be
`
`interpreted as limiting, but
`
`rather as a basis for
`
`the claims and as a
`
`representative basis for teaching one skilled in the art to employ the present
`
`invention in virtually any appropriately detailed system, structure or manner.
`
`The present
`
`invention Fig.
`
`1
`
`relates to a direct authentication and
`
`authorization system and method 1, for trusted network of financial institutions
`
`25, 35 allowing them to directly authenticate their customers 20 and receive their
`
`authorization of financial or non-financial
`
`transactions over a communication
`
`network 50 such as the Internet. More specifically, the present invention is based
`
`on a new identification and authentication method as digital
`
`identity 10 that
`
`enables financial institutions 25, 35 to directly authenticate their account owners
`
`20 and/or receive their authorization of financial or non-financial transactions
`
`over a communication network 50 such as the lntemet. The digital identity 10
`
`based authentication is secure, inexpensive, easy to useuand does not require
`
`financial institutions’ customers 20 to install any hardware or software on their
`
`systems.
`
`23 of41
`
`23
`
`23
`
`
`
`The digital
`
`identity 10 is an alphanumeric code and unlike password,
`
`biometric and smart card, the digital identity 10 is dynamic, non-predictable and
`
`may be time dependent, which is calculated using a proprietary algorithm that
`
`may include other customer’s 20 specific information, which makes the digital
`
`identity 10 customer 20 specific. Thus,
`
`it is impossible to calculate the same
`
`digital identity 10 for two different customers 20 or two different customers 20
`
`receive the same digital identity 10. Those skilled in the art appreciate that for
`
`digital identity 10 many different configurations are possible. In one embodiment
`
`the digital identity 10 is valid for one-time use and in another embodiment the
`
`digital identity is valid for multiple-time use.
`
`The digital identity 10 is:
`
`Dynamic - each time a digital
`
`identity 10 is requested, a different digital
`
`identity 10 is calculated;
`
`Non-predictable - there is no concern with recognizing the pattern, therefore
`
`it is impossible to predict the next digital identity 10;
`
`Time dependent — the digital
`
`identity 10 may be valid within certain time
`
`constraints to prevent replay attacks;
`
`Sensitive — any change to a digital identity 10 in transit results in an invalid
`
`digital identity 10.
`
`24 of41
`
`24
`
`24
`
`
`
`The digital identity 10 offers the benefits of a password, biometric and smart
`
`card, without their disadvantages.
`
`It 10 is as easy to use as password and as
`
`secure as biometric and smart card.
`
`As illustrated in Fig. 2, this invention comprises of Digital Identity System
`
`2 and Digital Identity Network 3. The Digital Identity System 2 deals with the
`
`calculation,
`
`transformation and validation of the digital
`
`identity 10 using a
`
`proprietary algorithm. The Digital
`
`Identity Network 3 is the trusted network
`
`between financial institutions 25, 35 that enables the communication between
`
`financial
`
`institutions 25, 35 to send and receive Digital Identity Messages for
`
`identification and authentication of account owners 20 and authorization of
`
`financial or non-financial transactions. The Digital Identity Message may include
`
`customer's digital
`
`identity 10 and transaction information. When a financial
`
`institution 25,35 agrees to use the Digital
`
`Identity System 2,
`
`the financial
`
`institution 25, 35 will participate in the Digital Identity Network 3 to interchange
`
`authentication and authorization messages as well as Digital Identity Messages
`
`with other Participating Financial Institutions 25, 35.
`
`EThe Digital Identity System 2 and Digital Identity Network 3 are managed
`
`and operated by the DID Operator 30.
`
`The Digital Identity Network 3 is used for identification and authentication
`
`of the financial institutions‘ 25, 35 account owners 20 and/or authorization of
`
`25 of41
`
`25
`
`25
`
`
`
`financial or non—financial transactions. The Digital identity Network 3 will not be
`
`used for the transfer of the actual funds between financial institutions 25, 35.
`
`Upon successful authentication and authorization,
`
`the Participating Financial
`
`institutions 25, 35 or any third party on their behalf, will use their desired funds
`
`transfer network, such as ACH or Fed wire, to transfer funds between. accounts.
`
`Performing identification, authentication and authorization using digital
`
`identity 10 is secure. It is possible to compute millions of digital identities 10 for
`
`the same customer 20, and it is computationally infeasible to find customer's
`
`information from a given digital identity 10, or to find two different customers 20
`
`with the same digital identity 10. Any change to a digital identity 10 in transit will
`
`fail to verify. The timing and dynamic nature of the digital identity protects the
`
`system 1
`
`from replay attacks. Therefore the digital
`
`identity 10 offers more
`
`benefits to the financial institutions 25, 35, and their customers 20, 40 than the
`
`existing technologies such as biometrics.
`
`Direct authentication and authorization system and method 1, Fig. 3
`
`according to the present invention may include the following participants:
`
`— Originator 20: The Originator 20 is the individual or corporate customer of the
`
`Participating Financial Institution (PFl) 25, 35. The Originator 20 receives a
`
`new digital identity 10 from its Participating Financial Institution (PFl) 25 each
`
`time the Originator 20 desires to initiate and authorize any non-financial or
`
`financial transaction such as payment or funds transfer. The Originator 20
`
`26 of41
`
`26
`
`26
`
`
`
`provides
`
`the digital
`
`identity 10 to the Receiver 40 for
`
`identification,
`
`authentication and/or authorization of
`
`the transaction.
`
`A plurality of
`
`Originators 20 has an existing relationship with a Participating Financial
`
`Institution (PFI) 25. The Originator 20 could also act as a Receiver 40 in a
`
`transaction.
`
`Receiver 40: The Receiver 40 is an individual or corporate customer of the
`
`Participating Financial
`
`Institution (RPFI) 35 that receives Originator’s 20
`
`digital identity 10 for identification, authentication and/or authorization of the
`
`non-financial or financial transaction such as payment or funds transfer. The
`
`Receiver 40 processes the digital identity 10 received from the Originator 20
`
`through its existing relationship with its Participating Financial
`
`Institution
`
`(RPFI) 35. The Receiver 40 could also act as an OriginatorE20 in a
`
`transaction.
`
`PFI 25, 35: The Participating Financial Institution 25, 35 is an institution that
`
`has an existing relationship with a plurality of Originators 20 and/or Receivers
`
`40 and offers services to them 20, 40 . When a PFl serves the Originator 20,
`
`the PFI is acting as an Originating Participating Financial Institution (OPFI) 25
`
`and when a PFI serves the Receiver 40 the PFI is acting as a Receiving
`
`Participating Financial
`
`Institution (RPFI) 35. A Participating Financial
`
`Institution (PFI) could act as an OPFI 25 as well as a RPFI 35.
`
`27 of 41
`
`27
`
`27
`
`
`
`- DID Operator (Digital Identity Operator) 30: The DID Operator 30 is the digital
`
`identity authority that provides digital
`
`identity-based authentication and
`
`authorization services to the Participating Financial Institutions (PFIs) 25, 35
`
`by maintaining, operating and managing the Digital Identity System 2 and
`
`Network 3. Each time the Originator 20 desires to initiate and authorize any
`
`non-financial or financial transaction such as payment or funds transfer,
`
`its
`
`Participating Financial Institutions (OPFI) 25 requests the DID Operator 30 to
`
`calculate a new digital
`
`identity 10 for that Originator 20. A plurality of
`
`Participati