US007444676B1
`
`(12) Unlted States Patent
`As hari-Kamrani et a].
`
`(10) Patent N0.2
`45 Date of Patent:
`
`US 7,444,676 B1
`Oct. 28 2008
`
`a
`
`(54) DIRECT AUTHENTICATION AND
`AUTHORIZATION SYSTEM AND METHOD
`FOR TRUSTED NETWORK OF FINANCIAL
`INSTITUTIONS
`
`3/2003 Johnson ..................... .. 705/64
`6,529,885 B1 *
`6/2004 Lee ............. ..
`705/66
`6,748,367 B1 *
`2001/0044787 A1 * 11/2001 Shwartz et al. .............. .. 705/78
`OTHER PUBLICATIONS
`
`76
`.
`-_
`-
`(
`) Inventors Nalier Asghan Kamljam’ 6558
`Pallsades Dr.; Centrevllle; VA (U S)
`_
`_
`_
`20121’ Kamran Asghan_K_amranl’
`6547 Pahsades Dr» Cemrevlnes VA (Us)
`20121
`
`( * ) Notice:
`
`Subject to any disclaimer; the term OfIhiS
`patent is extended or adjusted under 35
`0
`
`Federal
`Financial
`Institutions
`Examination
`Council(Oct.
`2005)“Authentication in an Internet Banking Environment”available
`,
`.
`.
`.
`at http.//WWW.f?ec.gov/pdf/authenticationiguidance.pdf.
`“Will Financial Institutions Really by more Secure With 2-Factor
`Athentication?” available at http://WWW.securitypark.co.uk/article.
`asp?articleid:25011&CategoryID:1%C2%A0.
`“Experts Struggle to Fight Online ‘Phishing”’ (May 4, 2006) avail
`able at http://domainsmagazine.com/Domainsil4/Domaini2830.
`Shtml.
`* Cited
`
`examiner
`
`(21) Appl. No.: 11/239,046
`
`(22) Filed:
`
`Sep. 30, 2005
`
`Related US. Application Data
`_
`_
`_
`_
`_
`(63) COIIIIIIuaIIOII-III-pan of aPPhCanOn NO- 09/940,631
`?led on Aug- 29> 2001-
`(60) Provisional application No. 60/615,603; ?led on Oct.
`5’ 2004'
`
`51
`(
`)
`
`Int_ C]_
`(200601)
`G06F 7/04
`(200601)
`G06F 19/00
`200601
`H04L 9/32
`(
`)
`200601
`H04L 9/00
`(
`)
`(52) us. Cl. ........................... .. 726/21; 726/4; 713/168;
`713/170; 705 /44; 705 /64; 705/67
`-
`-
`-
`(58) Field of Classi?cation Search ................... .. 726/4;
`726/21; 713/168’ 170; 705/64’ 67’ 44
`See application ?le for Complete Search history'
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`Primary ExamineriBenjamin E. Lanier
`Assistant ExamineriAbdulhakim Nobahar
`
`(57)
`
`ABSTRACT
`_
`_
`_
`A system and method for d1rect authent1cat1on and/ or autho
`rization of transactions. The system includes a trusted Digital
`Identity (DID) Network connecting an Originating Partici
`patlng Financial IHSIIIIIIIOII (OPFI) and a Receiving PaI'IICI'
`patmg F1nanc1al Inst1tut1on (RPFI) through a DID Operator.
`The DID Operator may further be coupled to a DID System
`that calculates di ital identities for Ori inators. Accordin to
`g
`g
`g
`the method, direct authentication of the Originator and/or
`authorization of the transaction is initiated upon the Origina
`tor communicatin its di ital identit to the Receiver. The
`g
`g
`y
`Receiver subse uentl
`rovides the di ital identi
`to the
`q
`y P
`g
`ry
`RI’FI- The RPFI is then able to Communicate With the OI’FI
`for authentication of the Originator and/or authorization of
`the transaction throu h the DID O erator based on Ori ina
`_
`_
`_
`_
`g
`_ p
`_ _g
`tor’s d1g1tal 1dent1ty. The transactlon between the Or1g1nator
`and Receiver can be ?nancial or non-?nancial and may
`include; for example; account-to-account transfers; identity
`authentication or express agreements. In another embodi
`ment; authentication and/ or authorization may be performed
`in real time.
`
`5,838,812 A * 11/1998 Pare etal. ................. .. 382/115
`
`5,883,810 A *
`
`3/1999 Franklin etal. ............. .. 705/39
`
`20 Claims, 11 Drawing Sheets
`
`Direct Authentication & Authorization
`System and Method
`
`1 —i
`
`30
`
`25
`
`20
`
`Oommunlcltlon
`Nmurk
`
`(business)
`
`1
`
`USAA 1015
`
`

`
`US. Patent
`
`0a. 28, 2008
`
`Sheet 1 0f 11
`
`US 7,444,676 B1
`
`Direct Authentication & Authorization
`System and Method
`1
`
`Communication
`Network
`
`20
`
`Originator
`(customer)
`
`Digital Identity
`
`Receiver
`(business)
`
`Figure 1
`
`2
`
`

`
`US. Patent
`
`0a. 28, 2008
`
`Sheet 2 0f 11
`
`US 7,444,676 B1
`
`25. 35
`
`2
`
`3
`
`Figure 2
`
`3
`
`

`
`US. Patent
`
`0a. 28, 2008
`
`Sheet 3 0f 11
`
`US 7,444,676 B1
`
`Digital Identity System
`
`Originator (
`. , 3..
`
`50[
`
`Direct Authentication & Authorization
`System and Method
`
`1) Receiver
`
`50
`
`3 Digital Identity Network
`
`Figure 3
`
`4
`
`

`
`US. Patent
`
`0a. 28, 2008
`
`Sheet 4 0f 11
`
`US 7,444,676 B1
`
`Customer's Bank
`
`(OPFI)
`
`‘
`
`Digital Identity ‘
`
`Customer's Bank
`
`(RPFI)
`
`20\ /40
`
`5O
`
`50
`
`Customer
`(Originator and Receiver are the same entity)
`
`OPFI: Originating Participating Financial Institution
`RPFI: Receiving Participating Financial Institution
`
`H Data Communication
`
`———> Digital Identity ?ow
`
`- - —> Funds transfer ?ow
`
`Figure 4
`
`5
`
`

`
`US. Patent
`
`Oct. 28, 2008
`
`Sheet 5 0f 11
`
`US 7,444,676 B1
`
`100 \
`
`Customer (Originator) authenticates himl
`herself to the ?rst ?nancial institution (OPFI)
`
`105
`
`1
`
`Customer desires to transfer funds to his
`account at second ?nancial institution (RPFI)
`
`110 \
`
`Customer requests funds transfer from the
`OPFI over the communication network
`
`1
`
`115
`
`The OPFI starts the funds transfer process by
`requesting a new digital identity for that
`customer from the DID Operator over Digital
`Identity Network
`
`1
`
`1
`
`120 \
`
`DID Operator calculates a new digital identity
`for the customer and forward it to the OPFI
`
`l
`125\ The OPFI records the digital identity along
`
`with the transaction information and presents
`it to the customer over the communication
`network
`
`130
`
`1
`
`To ?nalize the transfer, OPFI requests the
`customer to provide this digital identity to
`the RPFI for identi?cation and prove of
`account ownership and authorization of the
`funds transfer
`
`140
`
`Figure 5
`
`6
`
`

`
`US. Patent
`
`0a. 28, 2008
`
`Sheet 6 6f 11
`
`US 7,444,676 B1
`
`140
`
`145
`
`1 50
`
`1 55
`
`1 30
`
`The customer authenticates
`himself to the RPFI
`
`Customer provides hislher
`digital identity to the RPFI to
`?nalize the funds transfer
`
`The RPFI sends a Digital Identity
`Message contalnlng the
`customer's digital identity to the
`DID Operator
`
`The DID Operator validates the
`customer's digital identity and
`identi?es the customer
`
`160
`
`/ 1 57
`
`The DID Operator sends a Digital Yes
`Identity Message to the OPFI for
`processing
`
`No
`
`DID Operator sends a denial
`identi?cation and authorization
`message to the RPFI
`
`l
`
`/158
`
`RPFI sends a denial
`Identi?catlon and authorization
`message to the customer
`
`1 80
`
`Figure 6
`
`7
`
`

`
`US. Patent
`
`0a. 28, 2008
`
`Sheet 7 0f 11
`
`US 7,444,676 B1
`
`160
`
`180
`
`OPFI receives the Digital Identity
`message and validates the
`transaction
`
`No
`
`181 /
`
`‘
`
`OPFI sends a denial
`identification and authorization
`message to the RPFI through
`DID Operator
`
`1 91
`
`V
`
`.
`.
`OPFI records the ongmator's
`authorization and sends the
`customer's account information
`back to the RPFI
`
`185
`
`‘7
`OPFI records the Ori inator's
`authorization and trangsfers the
`funds using the desired funds
`transfer network, such as ACH
`network
`
`i
`
`182
`
`RPFI sends a denial
`ldentlflcatlon and
`authorization message to
`the customer
`
`192
`
`i
`
`186
`
`RPFI ?nalizes the funds transfer
`transaction by transferring the
`funds using the desired funds
`transfer network
`
`OPFI sends an approval
`identification and authorization
`message back to RPFI
`
`RPFI noti?es the customer
`
`/195
`
`Figure 7
`
`8
`
`

`
`US. Patent
`
`0a. 28, 2008
`
`Sheet 8 0f 11
`
`US 7,444,676 B1
`
`Customer's Bank
`(OPFI)
`
`50
`
`l
`
`Digital
`
`Identity
`
`T
`
`——-——_——->
`
`Customer's Bank
`(RPFI)
`
`I/ 50
`
`20
`
`Individual/Corporate
`custumer
`(Originator)
`
`E / 40
`
`CorporateCustomer
`(Receiver)
`
`OPFI: Originating Participating Financiai institution
`RPFI: Receiving Participating Financial institution
`
`H Data Communication
`
`———-——> Digital Identity ?ow
`
`- — —> Funds transfer ?ow
`
`Figure 8
`
`9
`
`

`
`US. Patent
`
`0a. 28, 2008
`
`Sheet 9 0f 11
`
`US 7,444,676 B1
`
`200
`\ Customer (Originator) desires to transfer funds to a third party
`(Receiver such as biller, merchant)
`
`205
`\ Customer authenticates himself to the ?rst ?nancial institution
`(OPFI) over a communication network
`
`21 O
`\ Customer requests to send payment to the third party (Receiver)
`from the OPFI over the communication network
`
`21 5
`
`‘
`The OPFI starts the payment process by requesting a new digital
`identity from the DID Operator over the Digital Identity Network
`speclflc to that customer andlor transaction
`
`220
`\ DID Operator calculates a new digital Identity that may be
`speci?c to that customer andlor transaction, and forwards the
`customer's digital identity to the OPFI over the Digital Identity
`Network
`
`225 _ OPFI presents the digital identity to the customer (Originator)
`over the communication network
`
`230
`
`To ?nalize the payment, OPFI requests the customer to provide
`this digital identity to the third party (Receiver) for identi?cation
`and prove of account ownership and authorization of the
`payment
`
`240
`
`Figure 9
`
`10
`
`

`
`US. Patent
`
`0a. 28, 2008
`
`Sheet 10 0f 11
`
`US 7,444,676 B1
`
`245
`\ The customer provides the digital identity to the
`third party (Receiver) for authentication and
`authorization of the payment
`
`25
`O \ To process the payment, the third party
`(Receiver) forwards the customer's digital identity
`to the RPFI along with the transaction information
`using any communication network
`
`255
`
`260
`
`V
`
`The RPFI may validate the information and may
`forward a Digital Identity Message containing the
`customer's digital identity to the DID Operator for
`authentication and transaction authorization.
`
`The DID Operator validates the digital identity and
`identi?es and authenticates the customer
`
`/ 267
`
`DID Operator sends a denial
`identi?cation and authorization
`message to the RPFI
`
`- / 268
`
`RPFI sends a denial
`identi?cation and authorization
`message to the Receiver
`
`/ 269
`
`Receiver sends a denial
`identi?cation and authorization
`message to the customer
`
`265 \
`
`_
`_
`The DID Operator sends a l'llgltzal
`ldentlty Message to the OPFI for
`processing
`
`280
`
`Figure 10
`
`11
`
`

`
`US. Patent
`
`Oct. 28, 2008
`
`Sheet 11 0f 11
`
`US 7,444,676 B1
`
`280
`
`285
`
`The OPFI validates the customer's
`digital identity andlor veri?es the
`transaction.
`
`287
`
`OPFI sends a denial
`identi?cation and authorization
`message to the RPFI
`
`RPFI sends a denial
`identi?cation and authorization
`message to the Receiver
`
`296
`
`OPFI records the Originator‘s
`authorization and sends the
`customer's account information
`back to the RPFI
`
`OPFI records the Originator's
`authorization and transfers the
`funds using the desired funds
`transfer network. such as ACH
`network
`
`297
`
`RPFI ?nalizes the funds transfer
`transaction by transferring the
`funds using the desired funds
`transfer network
`
`OPFI sends an approval
`identi?cation and authorization
`message back to RPFI
`
`298
`
`/
`
`RPFI noti?es the Receiver
`
`291
`
`292
`
`‘Figure 11
`
`12
`
`

`
`US 7,444,676 B1
`
`1
`DIRECT AUTHENTICATION AND
`AUTHORIZATION SYSTEM AND METHOD
`FOR TRUSTED NETWORK OF FINANCIAL
`INSTITUTIONS
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`
`This application is a continuation in part of and claims
`priority to US. patent application Ser. No. 09/940,635 ?led
`Aug. 29, 2001. This application also claims priority to US.
`provisional patent application Ser. No. 60/615,603 ?led Oct.
`5, 2004.
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`The present invention generally relates to a direct authen
`tication and authorization system and method for trusted net
`work of ?nancial institutions allowing them to directly
`authenticate their customers and receive their authorization of
`?nancial transactions over a communication network such as
`the Internet. More speci?cally, the present invention is based
`on a new identi?cation and authentication scheme as digital
`identity that enables ?nancial institutions to directly authen
`ticate their account owners and/or receive their authorization
`of ?nancial transactions over a communication network such
`as the Internet.
`2. Background of the Invention
`With the advent of the Internet, the number of online ?nan
`cial transactions has increased dramatically. With this
`increase, concerns for the security of the ?nancial transac
`tions, proof of authorization for such transactions, and the
`need for direct authentication of the parties to these transac
`tions have also risen. Therefore the Internet is more than just
`a different delivery channel for online ?nancial transactions.
`There are two unique characteristics of the Internet that
`require special considerations:
`The anonymity of the Internet creates an environment in
`which parties are not certain with whom they are doing
`business, which poses unique opportunities for fraud
`The Internet is an open network, which requires special
`security procedures to be deployed to prevent unautho
`rized access to the consumer ?nancial information
`These unique characteristics of the Internet needed to be
`addressed by ?nancial institutions in order to maintain their
`dominance in the payment arena. Today, any authentication
`over a communication network such as the Internet is an
`indirect authentication. Meaning, customers provide con?
`dential, personal and ?nancial information, in the form of
`social security numbers, names, addresses, credit card and
`bank account numbers, and businesses verify this information
`by accessing external databases. This type of authentication is
`not su?icient to truly identify the identity of customers and
`tell whether the customer is the actual account owner. This is
`why ?nancial institutions have limited their online interbank
`and intrabank service offerings. For example, today, the
`?nancial institutions require their account owners to do their
`interbank funds transfer at a branch o?ice and send a physical
`check to the receiver of the funds for payment, both of which
`are inconvenient and burdensome to corporate and individual
`customers.
`NACHA (National Clearing House Association) operating
`rules and federal government regulations also require ?nan
`cial institutions to authenticate their customers’ identity and
`receive their authorization for any type of ?nancial transac
`tion such as payment or funds transfer over the Internet. In the
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`2
`physical world, ?nancial transactions are authorized by the
`account owners in writing and signed or similarly authenti
`cated. In the online world however, ?nancial institutions do
`not have any solution to meet these requirements. An elec
`tronic authorization for an online transaction should be
`authenticated by a method that l) identi?es the customer
`(account owner), and 2) manifests the assent of the customer
`to the authorization. Therefore, ?nancial institutions must use
`a method that provides the same assurance as a signature in
`the physical world (a signature both uniquely identi?es a
`person and evidences his assent to an agreement). These
`objectives should be met by whatever method or process a
`?nancial institution employs when obtaining a customers’
`authorization electronically.
`When dealing with customers over any communication
`network such as the Internet, ?nancial institutions are facing
`numerous challenges:
`Be able to identify the identity of the customers;
`Be able to obtain transaction authorization from customers
`over the Internet;
`Be able to con?rm that the customer is the account owner
`and is authorized to use such account
`Financial institutions must meet these challenges in order
`to expand their online service offerings (interbank and intra
`bank) and maintain their dominance in the market. But lack of
`identi?cation and real-time account veri?cation methods
`have prevented ?nancial institutions to achieve their goals.
`Today, there are three different identi?cation and authen
`tication schemes in the market:
`Knowledge-based, which involve allowing access accord
`ing to what a user knows;
`token-based, which involve allowing access according to
`what a user possesses;
`biometrics-based, which involve allowing access accord
`ing to what the user is.
`Due to various problems the current authentication
`schemes have, ?nancial institutions have not been able to
`successfully use these technologies to perform direct authen
`tication and authorization of their customers. Passwords are
`inexpensive and easy to use, but the static nature of pass
`words, makes them vulnerable for replay attacks. Another
`drawback of passwords is that online banking password can
`not be used for identi?cation and veri?cation of ?nancial
`account at the third party web sites. Biometrics can also be
`useful for user identi?cation, but one problem with these
`schemes is the dif?cult tradeoff between imposter pass rate
`and false alarm rate. In addition, many biometric systems
`require specialized devices, which may be expensive. Token
`based schemes are problematic as well. These are expensive
`to implement and require users to install special devices and
`software. Most token-based authentication systems also use
`knowledge-based authentication to prevent impersonation
`through theft or loss of the token.
`National Clearing House Association (NACHA) and sev
`eral ?nancial institutions such as Visa and MasterCard have
`also attempted to develop authentication systems and meth
`ods, such as ISAP (Internet Secure ATM Payments) and SET
`(Secure Electronic Transaction) using smart card technology,
`but due to aforementioned smart card problems they failed to
`achieve customer acceptance. Therefore, they are now experi
`menting new password based programs such as VPAS (Visa
`Payer Authentication Service) and UCAF (MasterCard Payer
`Authentication Service) to allow registered cardholders to
`verify their purchases, a process known as payer authentica
`tion, but unfortunately these have abovementioned password
`issues and are speci?c to credit card transactions and do not
`apply to bank account transactions. It is also very dif?cult for
`
`13
`
`

`
`US 7,444,676 B1
`
`3
`a customer to manage. Owning N different credit cards
`requires recalling N different passwords for payment at
`checkout. According to a survey from Jupiter Media Metrix
`(epayneWs.com, Feb. 21 2002), these systems and methods
`are also complicating the picture for consumers, Who are
`Worried by the mix of identi?cation and authentication
`schemes.
`As for the ?nancial account oWnership veri?cation, cur
`rently, there are several companies that are attempting to
`bring systems and methods for verifying account oWnership,
`such as Paypal (EBAY) and CashEdge.
`Paypal introduces a system that initiates one or more veri
`fying transactions using ?nancial account information given
`by the customer. Selected details of the transaction(s) are
`saved, particularly details that may vary from one transaction
`to another. Such variable details may include the number of
`transactions performed, the amount of a transaction, the type
`of transaction (e.g., credit, debit, deposit, WithdraWal), the
`merchant name or account used by the system for the trans
`action, etc. The customer then retrieves evidence of the trans
`action(s) from his or her ?nancial institution, Which may be
`accomplished on-line, by telephone, in a monthly statement,
`etc., and submits the requested details to the Paypal system.
`The submitted details are compared to the stored details and,
`if they match, the account oWnership is veri?ed and the cus
`tomer is then alloWed to use the ?nancial account. There are
`many drawbacks associated With the Paypal’s system, includ
`ing:
`No real-time account veri?cation: It takes 2 to 3 days to
`verify customer’s ?nancial account
`High cost: Paypal suggests sending tWo deposits (credits)
`to the user’s ?nancial account, each of Which is less than
`$0.99 in value.
`Weak account veri?cation: An unauthoriZed individual
`Who has access to the details about verifying transac
`tions Would be veri?ed as the account oWner.
`CashEdge’s system requires the customer to provide bank
`account information along With the username and passWord
`of the online banking Web site that the customer is using to
`access his/her bank account. The system then applies the
`customer’s username and passWord to login to the online
`banking system for veri?cation of the account oWnership. The
`draWback of CashEdge system includes:
`Security and Privacy Concerns: Requesting the customer
`to provide the online banking username and passWord to
`CashEdge raises customers’ security and privacy con
`cerns.
`Weak account veri?cation: An unauthoriZed individual
`Who has access to the customer’s username and pass
`Word Would be veri?ed as the account oWner.
`Fraud Risk: Without CashEdge’s system, a fraudster Who
`has access to customer’s online banking username and
`passWord, is not able to transfer funds from the custom
`er’s account, but CashEdge system provides this oppor
`tunity to an unauthoriZed individual to commit fraud.
`Financial institutions need a system that eliminates the
`aforementioned problems and concerns by:
`verifying customers’ identity
`verifying account oWnerships in real-time
`providing prove of transaction authoriZation
`being secure, inexpensive and easy to use
`not requiring ?nancial institutions to change their existing
`systems and processes
`covering bank account as Well as credit card transactions
`For convenience, the term “customer” is used throughout
`to represent a ?nancial institution’s individual or corporate
`customer.
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`The term “?nancial institution” is used herein to denote any
`institution such as bank, credit card issuer, brokerage ?rm,
`debit card or credit card Company such as Visa, Master card,
`and AMEX or any other company that offers ?nancial ser
`vices.
`The term “?nancial account” is used herein to denote any
`bank account, brokerage account, debit card and credit card
`account.
`The term “account oWnership veri?cation” is used herein
`to denote the process of verifying that the ?nancial account
`belongs to the customer and the customer is authoriZed to use
`such ?nancial account.
`The term “communication netWork” is used herein to
`denote any private, Wireless or public netWork such as lnter
`net.
`The term “indirect authentication” is used herein to denote
`any authentication method that authenticates the customers
`based on customers’ information. Meaning, customers pro
`vide con?dential, personal and ?nancial information, in the
`form of social security numbers, names, addresses, credit
`card and bank account numbers, and businesses verify this
`information by accessing external databases.
`The term “direct authentication” is used herein to denote
`any authentication method that authenticates the customers
`based on customers’ credentials such as biometric data or
`smart card.
`The term “funds transfer netWork” is used herein to denote
`any netWork that ?nancial institutions use to transfer funds,
`such as ACH, Fed Wire, Visa netWork.
`The term “interbank funds transfer” is used herein to
`denote account-to-account funds transfer betWeen accounts
`at different ?nancial institutions.
`The term “debit pull” is used herein to denote the Way
`electronic payments and funds transfer are authoriZed and
`executed, Where the receiver of funds is asking customer’s
`?nancial institution to debit the customer’s account.
`The term “credit push” is used herein to denote the Way
`electronic payments and funds transfer are authoriZed and
`executed, Where the customer instructs his/her ?nancial insti
`tution to credit the account of the receiver (e.g. merchant
`account).
`The term “digital identity” is used herein to denote a
`dynamic, non-predictable and time dependent alphanumeric
`code, or any other key, Which may be given by customer’s
`?nancial institution to the customer over a communication
`netWork such as the lntemet, and may be valid for one-time
`use. The customer’s digital identity is used for identi?cation,
`authentication and authoriZation purposes for processing
`transactions over the communication netWork. Digital iden
`tity is calculated using a proprietary algorithm that may
`include any other customer and/ or transaction speci?c infor
`mation to make the digital identity customer and transaction
`speci?c.
`The term “identity authority” is used herein to denote any
`entity that offers direct authentication services to other busi
`nesses. Identity authority issues and manages the digital iden
`tity.
`The term “Digital Identity System” is used herein to denote
`the system that deals With the calculation, transformation and
`validation of the digital identity using a proprietary algo
`rithm.
`The term “Digital Identity NetWork” is used herein to
`denote the trusted netWork betWeen ?nancial institutions
`using any communication netWork such as the Internet. The
`Digital Identity NetWork enables the communication
`betWeen ?nancial institutions to send and receive Digital
`
`14
`
`

`
`US 7,444,676 B1
`
`5
`Identity Messages for identi?cation and authentication of
`account owners and authorization of ?nancial transactions.
`The term “Digital Identity Message” is used herein to
`denote the message sent or received over the Digital Identity
`Network that may include customer’s digital identity and
`transaction information.
`
`SUMMARY OF THE INVENTION
`
`The present invention provides solution to the aforemen
`tioned problems and the challenges the ?nancial institutions
`face today. The present invention relates to a direct authenti
`cation and authorization system and method for trusted net
`work of ?nancial institutions allowing them to directly
`authenticate their customers and receive their authorization of
`?nancial or non-?nancial transactions over a communication
`network such as the Internet.
`To overcome the drawbacks of the known systems and
`methods discussed above, the present invention is based on a
`new identi?cation and authentication method as digital iden
`tity. The new digital identity-based identi?cation and authen
`tication system and method:
`veri?es customers’ identity
`veri?es account ownerships in real-time
`provides prove of transaction authorization
`reduces the risk of fraud and identity theft
`is secure, inexpensive and easy to use
`does not require ?nancial institutions to change their exist
`ing systems and processes
`could be utilized for bank account as well as credit card
`transactions
`The digital identity is an alphanumeric code and unlike
`password, biometric and smart card, the digital identity may
`be valid for one time use and is dynamic, non-predictable and
`may be time dependent, which is calculated using a propri
`etary algorithm that may include other customer’s speci?c
`information, which makes the digital identity customer spe
`ci?c. Thus, it is impossible to calculate the same digital iden
`tity for two different customers or two different customers
`receive the same digital identity. Therefore, the digital iden
`tity offers the bene?ts of a password, biometric and smart
`card, without their disadvantages. It’s as easy to use as pass
`word and as secure as biometric and smart card.
`This invention comprises of Digital Identity System and
`Digital Identity Network. The Digital Identity System deals
`with the calculation, transformation and validation of the
`digital identity. The Digital Identity Network is the trusted
`network between ?nancial institutions that enables the com
`munication between ?nancial institutions to send and receive
`Digital Identity Messages for identi?cation and authentica
`tion of account owners and authorization of ?nancial or non
`?nancial transactions. The Digital Identity Message may
`include customer’s digital identity and transaction informa
`tion.
`Direct authentication and authorization system and
`method according to the present invention may include the
`following participants:
`Originatorithe Originator is the individual or corporate
`customer of the Participating Financial Institution (PFI).
`The Originator receives a new digital identity from its
`Participating Financial Institution (PFI) each time the
`Originator desires to initiate and authorize any non
`?nancial or ?nancial transaction such as payment or
`funds transfer. The Originator provides the digital iden
`tity to the Receiver for identi?cation, authentication and/
`or authorization of the transaction.
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`Receiver: Receiver is the individual or corporate customer
`of the Participating Financial Institution (PFI) that
`receives Originator’s digital identity for identi?cation,
`authentication and/or authorization of the non-?nancial
`or ?nancial transaction such as payment or funds trans
`fer.
`PFIithe Participating Financial Institution is the ?nancial
`institution that has an existing relationship with Origi
`nators and/ or Receivers and offers services to the Origi
`nators and/ or Receivers. When a PFI serves Originators,
`the PFI is acting as an Originating Participating Finan
`cial Institution (OPFI) and when a PFI serves Receivers
`the PFI is acting as a Receiving Participating Financial
`Institution (RPFI). A Participating Financial Institution
`(PFI) may participate in the Digital Identity Network as
`an OPFI as well as a RPFI.
`DID Operatorithe Digital Identity Operator is the digital
`identity authority that provides digital identity-based
`authentication and authorization services to the Partici
`pating Financial Institutions (PFIs) by maintaining,
`operating and managing the Digital Identity System and
`Network. Each time the Originator desires to initiate and
`authorize any non-?nancial or ?nancial transaction such
`as payment or funds transfer, its Participating Financial
`Institutions (OPFI) requests the DID Operator to calcu
`late a new digital identity for that Originator.
`Financial institutions need to become the Digital Identity
`Network participants to perform identi?cation and authenti
`cation of their customers and/or receive their authorization of
`transactions.
`This invention enables ?nancial institutions and their busi
`ness customers to perform identi?cation and authentication
`of their customers and/ or to manifest their assent to the autho
`rization of transactions. The customer’s digital identity,
`which has been provided to that customer by the customer’s
`?nancial institution, is issued and used at the time when third
`parties (e. g. merchant, billers) or other Participating Financial
`Institution needs to authenticate the customer’ s identity,
`verify the account ownership and/or receive the customer’s
`authorization for the ?nancial or non-?nancial transaction.
`Participating Financial Institutions issue digital identities to
`their account holders and validate digital identities issued by
`other Participating Financial Institutions in real time. Using
`Digital Identity System and Network, ?nancial institutions
`can establish an environment in which parties to a transaction
`can reliably verify the electronic identities of customers,
`engage in legally binding agreements, and maintain auditable
`electronic information trails. The resulting high level of secu
`rity and trust enables ?nancial institutions to better serve the
`customers by enhancing their online service offerings.
`This invention enables ?nancial institutions to enhance
`security and reduce fraud by identifying their customers and
`account holders. This will allow them to provide various
`services to their customers.As an example, the invention may
`be used in interbank funds transfer transactions to perform
`identi?cation and authentication, receive customers’ authori
`zation and verify account ownership.As another example, the
`invention may be used in online payment transactions to
`perform identi?cation and authentication of customers,
`receive customers’ authorization, obtain payments and
`receive account ownership veri?cation.
`As another example, the invention may be used in identity
`veri?cation service offered by ?nancial institutions to provide
`customer identi?cation in e-commerce.
`This invention relates to a system and method for veri?ca
`tion of customers’ identity over a communication network
`such as the Internet.
`
`15
`
`

`
`US 7,444,676 B1
`
`7
`Accordingly, it is a principal objective of the invention to
`perform account ownership veri?cation in real-time over a
`communication netWork such as the Internet.
`It is another objective of the invention to alloW all parties
`involved in a transaction to give and receive transaction
`authorization over a communication netWork such as the
`Internet.
`It is another objective of the invention to provide a direct
`authentication and authorization system and method that is
`secure, inexpensive, easy to use and offers privacy to the
`?nancial institutions