111111
`
`1111111111111111111111111111111111111111111111111111111111111111111111111111
`US 20040203595Al
`
`(19) United States
`(12) Patent Application Publication
`Singhal
`
`(10) Pub. No.: US 2004/0203595 Al
`Oct. 14, 2004
`( 43) Pub. Date:
`
`(54)
`
`METHOD AND APPARATUS FOR USER
`AUTHENTICATION USING A CELLULAR
`TELEPHONE AND A TRANSIENT PASS
`CODE
`
`(76)
`
`Inventor: Tara Chand Singhal, Torrance, CA
`(US)
`
`Correspondence Address:
`Tara Chand Singhal
`P.O. Box 5075
`Torrance, CA 90510 (US)
`
`(21)
`
`Appl. No.:
`
`10/217,287
`
`(22)
`
`Filed:
`
`Aug. 12, 2002
`
`Publication Classification
`
`Int. Cl? ...................................................... H04M l/66
`(51)
`(52) U.S. Cl. ......................................... 455/411; 455/414.1
`
`(57)
`
`ABSTRACT
`
`Authentication system 10 is used to store a user's existing
`passwords; alternatively, the authentication system creates
`on demand a transient random pass code that is good for a
`limited duration. When the user has forgotten the password
`in a traditional system, alternatively, without the need to
`create or remember passwords, user can use transient pass
`codes. The user retrieves the password or the pass code via
`a cell telephone 800 call to the authentication system, before
`logging on to the system.
`
`Telephone
`Network 16
`
`Authentication System 1 0
`
`Verify caller and create
`time-limited pass code,
`or retrieve existing password
`
`System
`interface 02
`
`Bank
`System 20A
`
`Business
`System 20B
`
`Consumer
`System 20C
`
`Facility
`Access
`System 200
`
`TWILIO INC. Ex. 1009 Page 1
`
`

`
`Telephone
`Network 16
`
`____ I l
`
`.. ...
`
`...
`""'
`
`Authentication System 10
`(V Verify caller and create
`
`time-limited pass code,
`or retrieve existing password
`
`---··-
`
`(')
`
`~ .....
`
`""C
`~ .....
`~ = .....
`~ 't:l -....
`.... 0 =
`~
`0' -....
`.... 0 =
`
`(')
`
`~ .....
`
`J~a4
`
`CCC
`CCC
`
`· c c c
`
`Bank
`System 20A
`
`G)
`
`Business
`System 20B
`
`,..,....-
`
`Consumer
`System 20C
`
`Facility
`Access
`System 200
`
`Figure 1A
`
`0
`(')
`!"""
`'"""'
`~,J;;..
`N c c
`
`,J;;..
`
`'JJ. =(cid:173)~
`~ .....
`'"""' 0 ......,
`
`0'1
`
`Cj
`'JJ.
`
`N
`
`N c c
`~ c
`8 Ul
`>
`'"""'
`
`'0
`Ul
`
`User·
`06
`
`I I System
`
`I(§)
`
`interface 02 5
`
`TWILIO INC. Ex. 1009 Page 2
`
`

`
`Patent Application Publication Oct. 14, 2004 Sheet 2 of 6
`
`US 2004/0203595 Al
`
`Q)CD
`c..-
`0~
`..c
`.._
`a.O
`Q)~
`Q) Q)
`1--Z
`
`...
`....
`
`...
`
`,---------------
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`c I
`<(
`0
`N
`E
`
`Q) -"' >.
`
`(/)
`
`<(
`0
`'l""
`c
`0
`~
`(J c
`::s
`u..
`c
`0
`~
`ns
`(J
`:t:i
`c
`Cl)
`....
`.c
`::s
`<(
`
`00
`N
`"0
`......
`0
`3:
`
`(/)
`(/)
`ro
`a_
`
`N ...--
`0 -......
`Q)
`(/)
`::.:>
`
`:
`
`"¢
`C"0
`c
`0
`:;::;
`(.)
`c
`::J u..
`0
`......
`_.
`c
`0
`0
`(/)
`(/)
`Q)
`(.)
`(.)
`<(
`
`I co:
`
`I
`I
`
`I
`
`...--
`
`\ ,---------, ;.(
`\j
`l------------------~-------------------
`
`N
`0
`
`[:____]
`
`~
`Do o o
`
`0 0 0
`0 0 0
`.._
`Q)
`cnco
`::>o
`
`I ~
`
`\
`
`""
`
`TWILIO INC. Ex. 1009 Page 3
`
`

`
`Telephone
`Network 16
`
`Authentication System 10
`
`!:::\ Verify caller and create
`\:!:) time-limited passkey
`
`CJI j(o4
`
`User
`06
`
`CCC
`CCC
`~
`
`22~
`Packet Header 30
`Source
`I f::'\
`Destination
`System
`interface 02 @--------------~ Packet ID
`Passkey 29
`
`Packet Data 32
`Data
`
`FIGURE 1C
`
`~
`
`System 20 A-D
`
`Access Control function 34
`
`• Firewall 24
`
`(§)
`
`(')
`
`~ .....
`
`""C
`~ .....
`~ = .....
`~ 't:l -....
`.... 0 =
`~
`0' -....
`.... 0 =
`
`(')
`
`~ .....
`
`0
`(')
`!"""
`'"""'
`~,J;;..
`N c c
`
`,J;;..
`
`'JJ. =(cid:173)~
`~ .....
`
`~
`0 ......,
`0'1
`
`Cj
`'JJ.
`
`N
`
`N c c
`~ c
`8 Ul
`>
`'"""'
`
`'0
`Ul
`
`TWILIO INC. Ex. 1009 Page 4
`
`

`
`Log in Web page page 210
`
`Log in Web page page 220
`
`:
`
`User ld
`
`Password
`
`12
`
`28
`
`I
`
`If You forget your password 216
`Call 1-800 222 4433 using your cell phone to
`obtain the password.
`
`User ld
`12
`Transient Pass Code - - 14
`No need to Create or remember passwords. 226
`Use Transient Pass Code
`Call1-800 222 9999 using your cell phone
`to obtain a transient pass code.
`
`ATM/POS/ Facility Access Terminal 250
`
`Insert/Slide Your card And enter PIN
`I -u -~
`DOD ~
`DOD
`DOD
`DOD
`
`c=::J
`
`Use Transient PIN, Call 1-800 222 9999 using
`your cell phone to obtain a transient PIN.
`
`Log in Web page page 230
`
`Passkey 7073994333-4345
`
`29
`
`236
`Call 1-800 Bank One using your cell phone to
`obtain the passkey.
`
`Figure 2
`
`(')
`
`~ .....
`
`""C
`~ .....
`~ = .....
`~ 't:l -....
`.... 0 =
`~
`0' -....
`.... 0 =
`
`(')
`
`~ .....
`
`0
`(')
`!"""
`""""
`~,J;;..
`N c c
`
`,J;;..
`
`'JJ. =(cid:173)~
`~ .....
`,J;;..
`0 ......,
`0'1
`
`Cj
`'JJ.
`
`N
`
`N c c
`~ c
`8 Ul
`>
`""""
`
`'0
`Ul
`
`TWILIO INC. Ex. 1009 Page 5
`
`

`
`Authentication
`System 10
`1--
`
`[ Authenticafun Syst;~ Proc;ss;-r 33oj
`I
`Storage Devices 326
`
`_
`
`-r
`
`I
`
`User Database 338
`
`Customer ID (caller ID)
`Name
`E-mail address
`PIN
`System AID
`User ID
`Set time
`Password
`
`350
`352
`354
`356
`358
`360
`362
`364
`
`Transaction Database 342
`
`Transaction Reference 370
`Date/Time
`372
`Caller ld
`374
`System I D
`358
`User ID
`360
`Set time
`376
`
`System Database 340
`
`System AID
`System A Name
`Access Path
`
`358
`366
`368
`
`~-Operating System 302 - -~
`
`Figure 3
`
`""C
`~ .....
`~ = .....
`~ 't:l -....
`.... 0 =
`
`(')
`
`~ .....
`
`~
`0' =:
`~ .....
`
`(')
`
`.... 0 =
`
`0
`(')
`!"""
`'"""'
`~,J;;..
`N c c
`
`,J;;..
`
`'JJ. =-~
`~ .....
`Ul
`0 ......,
`0'1
`
`Cj
`'JJ.
`
`N
`
`Ul
`'0
`Ul
`
`>
`'"""'
`
`!Authentication Function 10A I
`N c c
`~
`~ c
`8
`
`TWILIO INC. Ex. 1009 Page 6
`
`

`
`Account Open/Access Web page 400
`
`S stem Data Web Pa e 410
`
`Cell Tel number
`Name
`E-mail
`PIN - - - - - -
`
`350
`352
`354
`356
`
`System Name 366
`
`Password 364
`
`Bank
`Shopping
`Business
`
`Argol20
`Colata12
`Biz2000
`
`S stem Selection Web Pa e 420
`
`Select system, Enter system user id and Time 420
`
`System ID 358 Selection 422
`
`System Name 366
`
`User ID 360
`
`Time 362
`
`1.
`
`2.
`
`3.
`
`4.
`
`5.
`
`6.
`
`X 1
`--
`- -
`
`X 2
`- -
`X 3
`--
`- -
`
`- -
`
`Bank Acme
`
`414A
`
`Shimkin120
`
`Root400
`
`AOL 1999
`
`Shop Amaze
`
`DMV
`
`414B
`
`Shop NWRK 414C
`
`SSADMIN
`
`Business ABC
`
`Figure 4
`
`30 sec.
`--
`- -
`60 sec.
`- -
`1 day
`
`- -
`
`- -
`
`""C
`~
`
`(')
`
`~ .....
`
`~ = .....
`~ 't:l -....
`.... 0 =
`
`~
`0' =:
`~ .....
`
`(')
`
`.... 0 =
`
`0
`(')
`!"""
`'"""'
`~,J;;..
`N c c
`
`,J;;..
`
`'JJ. =(cid:173)~
`~ .....
`0'1
`0 ......,
`0'1
`
`Cj
`'JJ.
`
`N
`
`N c c
`~ c
`8 Ul
`>
`'"""'
`
`'0
`Ul
`
`TWILIO INC. Ex. 1009 Page 7
`
`

`
`US 2004/0203595 A1
`
`Oct. 14, 2004
`
`1
`
`METHOD AND APPARATUS FOR USER
`AUTHENTICATION USING A CELLULAR
`TELEPHONE AND A TRANSIENT PASS CODE
`
`FIELD OF THE INVENTION
`
`[0001] The present invention is directed to a method and
`apparatus for user authentication to a computer system using
`a cellular telephone and transient pass codes.
`
`BACKGROUND
`
`[0002] Access to a computer system is controlled by a
`combination of a user ID to identify a user and a password
`to verify the user. The password is initially created by the
`system and then can be changed by the user. It is only known
`to the user and is kept secure by an access control function
`within the computer system.
`
`[0003] The combination of a user ID and password are the
`prevalent technology for access control to computer systems
`and are used in: (i) government agencies such as defense
`systems by defense employees to control access to classified
`data, (ii) business systems by employees of the business to
`control access to sensitive data, (iii) consumer systems by
`consumers to control access to consumer services and
`resources provided by a business, and (iv) banking systems
`to control access to online account data and so on.
`
`[0004] The use of a password to control access suffers
`from some deficiencies, such as, too many passwords, easy
`to forget and unfamiliar difficult to remember long string
`passwords, and risk of compromise.
`
`[0005] There have been many solutions to address one or
`more of these deficiencies. Some of them have been: 1)
`having longer passwords of at least 6 to 8 characters, where
`the password must have a combination of numerals and
`alphabets, 2) having password that have a combination of
`lower and upper case letters as well as a punctuation
`character, also referred to a pass phrase 3) having two layers
`of passwords common in defense systems 4) having the
`password changed periodically such as once a month or
`every three months, which is common in defense and
`sensitive business systems, 5) supplying additional personal
`data such as mother's name, place of birth or other data to
`the computer system when a password is forgotten, so that
`such data may be used to verify the user in lieu of a forgotten
`password.
`
`[0006] New innovative solutions to address these deficien(cid:173)
`cies in password technology are also being researched. One
`example is a recent news report on Microsoft, which
`describes a research effort on creating and using a password
`that depends upon a user selecting points on a picture. The
`pixel location sequence is to be used as a password, as it is
`believed that points on a picture are easy to remember and
`also create a complex password.
`
`[0007] Other solutions have been biometrics, such as the
`use of one's fingerprint, handprint, or retina-scan, to control
`access to a facility controlled by a computer system. Based
`on published stories, use of biometrics, have problems such
`as, having finger print can be easily fooled by an imposter
`gluing on some-one else's finger print on his fingers, and
`that people are hesitant to make biometric data available to
`computer systems for privacy reasons.
`
`[0008] Smart cards are also being used in some cases to
`control access to a computer system. Use of smart cards or
`tokens require a smart card reader and a smart card being
`given to a person in advance. For these and other reasons
`they have not gained wide spread popularity.
`
`In light of the above, it is an objective of the present
`[0009]
`invention to have a user authentication system that elimi(cid:173)
`nates the problems of: (i) the users in having to create and
`remember passwords, in having to create different pass(cid:173)
`words for access to different systems, and passwords being
`stolen from the users by their carelessness or negligence;
`and (ii) the businesses in having to maintain computer
`systems that have a risk of compromise of password by
`carelessness of their employees or external hacker attacks.
`
`SUMMARY
`
`[0010] The present invention is directed to a method and
`apparatus for a user authentication system that uses a
`cellular telephone. In one embodiment, an authentication
`system is used to store a user's existing passwords. When the
`user has forgotten the password, the user can retrieve it via
`an 800 number call to the authentication system using
`his/her cell telephone, before logging on to the system. The
`current caller ID technology provided by the telephone
`companies uniquely identifies a cell phone owner and is
`used to verify the caller to the authentication system.
`
`In another embodiment, the authentication system
`[0011]
`does not store existing passwords, but creates, on demand,
`a temporary or transient random pass code that is good for
`a limited time. Such transient pass codes are randomly
`created only at the instance of use. They do not exist earlier
`anywhere. They can be very simple, for example a 3-digit
`numeral, and are believed to be far more secure in their
`operation and use than the current use of passwords.
`
`[0012] The user has only a set time to gain access to the
`computer system using the user ID and the transient pass
`code. The set time may be selected based on user's prefer(cid:173)
`ence and the security needs of the system.
`
`[0013] This invention may be practiced in different ver(cid:173)
`sions, as the systems have different security needs and the
`users have different habits. These are described in the
`description section.
`
`[0014] The authentication system of this invention serves
`(i) the users, by the users not having to create and or
`remember passwords, and (ii) the businesses by eliminating
`the risk of having passwords compromised by carelessness
`or negligence of users or employees and of being a target for
`hackers.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0015] The novel features of this invention, as well as the
`invention itself, both as to its structure and its operation, will
`be best understood from the accompanying drawings, taken
`in conjunction with the accompanying description, in which
`similar reference characters refer to similar parts, and in
`which:
`
`[0016] FIG. 1A is a block diagram that illustrates a
`version of the current invention;
`
`[0017] FIG. 1B is a block diagram that illustrates another
`version of the current invention;
`
`TWILIO INC. Ex. 1009 Page 8
`
`

`
`US 2004/0203595 Al
`
`Oct. 14, 2004
`
`2
`
`[0018] FIG. lC is a block diagram that illustrates yet
`another version of the current invention;
`
`[0019] FIG. 2 illustrates system interfaces;
`
`[0020] FIG. 3 is a block diagram that illustrates a version
`of the authentication system; and
`
`[0021] FIG. 4 is a version of web pages that illustrates
`user access to the authentication system.
`
`DESCRIPTION
`
`[0022]
`
`Introduction
`
`In this specification, the terminology pass code and
`[0023]
`password is used interchangeably. However, where it is
`necessary to distinguish, the term password is used for an
`existing password and pass code is used for those passwords
`that are created on demand for an instance of use according
`to this invention.
`
`[0024] With initial reference to FIG. lA, authentication
`system 10, interfaces with a user 06 via a cellular telephone
`04 and telephone network 16. The user has access to the
`system 20A-D via a system interface 02. The system 20A-D
`may be a bank system 20A, a business system 20B, a
`consumer system 20C or a facility access system 20D.
`
`[0025] As illustrated in FIG. 2, the system interface 02
`may be a log in web page 210, 220, 230 or it may be an
`ATM/POS/Facility Access terminal 250.
`
`[0026] As illustrated in FIG. lA, the authentication sys(cid:173)
`tem 10 may be deployed as a stand-alone system, where it
`may store and allow the user to retrieve passwords of
`multiple number of systems 20A-D where user maintains
`accounts.
`
`[0027] Alternatively, the authentication system 10 func(cid:173)
`tions may be embedded in the system 20A-D itself, such that
`the user is able to retrieve the password for that particular
`system. With reference to FIG. lB, authentication system 10
`functions may be embedded in the system 20 itself as
`authentication function lOA, as part of the system 20A-D's
`existing access control function 34, which maintains user ID
`12 and password 28.
`
`In a first embodiment with stored passwords, the
`[0028]
`invention enables storing user's passwords of system 20A-D
`in an authentication system 10, from where they can be
`retrieved by the user 06, when forgotten, through use of a
`cell phone 04.
`
`In a second embodiment with transient pass codes,
`[0029]
`the authentication system 10, on request of a user 06 via a
`cell phone 04, creates in real time a random transient pass
`code for use for a limited time. The authentication system 10
`communicates the transient pass code to the user 06 via
`voice response on the cell phone 04. The authentication
`system 10 also communicates the transient pass code to the
`specific system 20 to which the user 06 wishes to gain
`access.
`
`a user as the caller ID is provided by the telephone company
`computer systems, further more the caller ID cannot be
`blocked when calling an 800 number (iv) due to it's con(cid:173)
`venience and affordable pricing are used by almost every
`body, and (v) have a minimal risk of theft as the location of
`a cell phone can be traced by the telephone company.
`However, fixed telephones as in a home may also be used.
`
`[0031] These embodiments are described herein. The
`headings are provided for the convenience of the reader.
`
`[0032] Embodiment with Stored Passwords
`
`[0033] The user 06 makes a secure Internet connection to
`the authentication system 10 (not shown), which provides a
`web page 400 as illustrated in FIG. 4. The web page 400
`allows the user 06 to create or access the user's account in
`the authentication system 10. The data required on web page
`400 is cell tel number 350, name 352, e-mail 354 and PIN
`356.
`
`[0034] The web page 410, displayed in response to com(cid:173)
`pleting web page 400 data entries, allows the user 06 to enter
`the system 20 names 366 and corresponding passwords 364.
`The user can enter multiple system names and passwords.
`The data so entered is saved in the authentication system 10,
`described later with respect to FIG. 3.
`
`[0035] Subsequently, with reference to FIG. 2, if the user
`06 when logging on a system 20A-D with a login web page
`210, which requires a user ID 12 and a password 28, has
`forgotten the password, the legend 216 advises the user to
`call an 800 number to retrieve the password.
`
`[0036] When the user 06 calls the authentication system
`10 using his/her cell phone 04, the authentication system 10
`verifies the caller ID as telephone number 350 and prompts
`for the PIN 356 and the name of the system 366, asking the
`user to enter PIN 356 and select the system 20, if the user
`has stored a password for more than one system. The
`authentication system 10 then voice responds with the
`password 364 of the selected system. The voice response
`technology such as being able to annunciate alphanumeric
`digits is prior art that is in common use in telephone and
`banking systems.
`
`[0037] Embodiment with Transient Pass Code
`
`[0038] The user 06 makes a secure Internet connection to
`the authentication system 10 (not shown), which provides a
`web page 400 as illustrated in FIG. 4, The web page 400
`allows the user 06 to create or access the user account in the
`authentication system 10. The data required on web page
`400 is cell tel number 350, name 352, e-mail 354 and PIN
`356.
`
`[0039] The web page 420, displayed in response to com(cid:173)
`pleting the data in web page 400, provides a list of systems
`20A-D with which the authentication system 10 has a prior
`established interface. The page 420 displays a list of such
`systems by system ID 358 and system name 366.
`
`[0030] A cell telephone 04 to call the authentication sys(cid:173)
`tem 10 is used because a cell telephone: (i) is a personal item
`in the personal physical control of the owner, (ii) uniquely
`identifies the owner, an entity independent of the owner, the
`telephone company has verified the owner identity, (iii)
`provides caller ID which cannot be tampered or altered by
`
`[0040] The web page 420, allows the user 06 to select the
`systems where he/she has an account 422 and for each such
`system to enter the corresponding user ID 360 and set time
`362 for the transient pass code. As an illustration, the user 06
`has selected three systems Bank Acme 414A, DMV 414B
`and Shop NWRK 414C. These selections are identified as 1,
`
`TWILIO INC. Ex. 1009 Page 9
`
`

`
`US 2004/0203595 Al
`
`Oct. 14, 2004
`
`3
`
`2 and 3 as system ID 422. The data so entered in page 420
`is saved in the authentication system 10, described later with
`respect to FIG. 3.
`
`[0041] User 06 opens the authentication system 10
`account via a secure Internet connection. To eliminate the
`possibility of fraud where some one else may open the user
`account with access to user data, the authentication system
`10 verifies the user identity. This verification of user identity
`may include one or more steps such as, calling the user on
`the cell phone number to verify the user has the cell phone
`number and contacting the telephone company and verifying
`that the cell phone owner name matches that provided by the
`user.
`
`[0042] The steps required to use the authentication system
`10, as highlighted in FIG. 1A by encircled numerals are:
`
`(1) A user 06 calls, on his/her cell phone 04,
`[0043]
`the authentication system 10. The authentication
`system has pre-stored system identification and cor(cid:173)
`responding user identification. The user enters a PIN
`and identifies the system as 1, 2 or 3.
`
`(2) The authentication system verifies the
`[0044]
`caller by caller ID and the PIN and creates a time(cid:173)
`limited password.
`
`(3) The authentication system communicates
`[0045]
`the time-limited password to the cell phone via voice
`response.
`
`( 4) The authentication system communicates
`[0046]
`the time-limited password to the system 20 using the
`system identification and the user identification.
`
`internal or external modems may serve as the system net(cid:173)
`work interface. In one embodiment, the system network
`interface is connected to the user interface 02 on a global
`network 18.
`
`[0054] The authentication system 10 also includes a sys(cid:173)
`tem network interface (not shown) that allows the authen(cid:173)
`tication system 10 to communicate with the telephone
`network 16 to receive and respond to telephone calls from
`the user 06.
`
`[0055] The authentication system 10 also includes a sys(cid:173)
`tem network interface (not shown) that allows the computer
`10 to communicate with systems 20A-D. Conventional
`internal or external modems may serve as the system net(cid:173)
`work interface. In one embodiment, the system network
`interface is connected to the system 20A-D on a global
`network 18.
`
`[0056] The processor 330 is operative with the authenti(cid:173)
`cation function lOA to perform a customer interface func(cid:173)
`tion, a password function, and a system interface function.
`These are described later in the specification.
`
`[0057] Databases 338-342
`
`[0058] With reference to FIG. 3, the databases in the
`authentication system 10 are described.
`
`[0059] The customer database 338 within the authentica(cid:173)
`tion system 10 contains data specifically related to the user
`06 that is transferred to the system 10 from the user. The
`private data related to the user 06 is caller ID 350, name 352,
`e-mail address 354, PIN 356, system A ID 358 and corre(cid:173)
`sponding user ID 360, and set time 362 or the password 364.
`
`(5) User accesses the system 20, via a system
`[0047]
`interface 02, by providing the user identification and
`the time-limited password. The system then grants
`access after verifying the user identification and the
`time-limited password.
`
`[0060] The system database 340 identifies the information
`on the system 20, which needs to be accessed by the
`authentication system 10 to send the transient passwords.
`The Information may include system ID 358, system name
`366, and system access path 368.
`
`(6) The system 20 deletes the time-limited
`[0048]
`password on occurrence of first access or expiration
`of a time limit.
`
`[0049] Authentication System 10
`
`[0050] Referring to FIG. 3, the authentication system 10
`includes (i) a storage device 326, (ii) an operating system
`302 stored in the storage device 326, (iii) an authentication
`function program lOA stored in the storage device 326, (iv)
`and a processor 330 connected to the storage device 326.
`
`[0051] The processor 330 can include one or more con(cid:173)
`ventional CPU's. The processor 330 can be capable of high
`volume processing and database searches.
`
`[0052] The authentication system storage device 326 can,
`for example, include one or more magnetic disk drives,
`magnetic tape drives, optical storage units, CD-ROM drives
`and/or flash memory. The storage device 326 also contains
`a plurality of databases used in the processing of transac(cid:173)
`tions pursuant to the present invention. For example, as
`illustrated in FIG. 3, the storage device 326 can include a
`system database 340, a customer database 338 and a trans(cid:173)
`action database 342.
`
`[0053] The authentication system 10 includes a system
`network interface (not shown) that allows the authentication
`system 10 to communicate with the user 06. Conventional
`
`[0061] This transaction database 342 logs all password
`request transactions by a transaction reference 370, date/
`time 372, caller ID 374, and system ID 358. In addition user
`ID 360 and set time 376 are also maintained for the
`embodiment that enables sending a transient pass code to
`system 20.
`
`[0062] Authentication System Function lOA
`
`[0063] As described earlier, the authentication function
`lOA is operative with the processor 330 to provide the
`functions of (i) customer interface function, (ii) password
`function, and (iii) system interface function.
`
`[0064] The customer interface function performs the tasks
`of (i) opening an account via web page 400, (ii) receiving
`user id, system id, and set time via web page 420 or
`receiving system name and password via web page 410, (iii)
`receiving an 800 call, verifying caller id, and (iv) delivering
`a voice/text response transient password or a stored pass(cid:173)
`word.
`
`In addition to caller id, a PIN 356 may be utilized
`[0065]
`to verify the caller to the authentication system 10. Use of
`a PIN is the prevalent technology, for example in gaining
`access to banking services and voice mail messages.
`
`[0066] The password function performs the tasks of (i)
`creating a random transient password, (ii) alerting the sys-
`
`TWILIO INC. Ex. 1009 Page 10
`
`

`
`US 2004/0203595 Al
`
`Oct. 14, 2004
`
`4
`
`tern interface function to send user ID and the transient
`password, (iii) set a timer for set time, and (iv) at the
`expiration of the timer alerting the system interface function
`to send user ID and a null password.
`
`[0067] The transient passwords are randomly created by
`the password function using a prior art random number
`generator. The transient passwords may be very simple. For
`example, they may be a two to four digit numerals, making
`them easy to receive and use by the user.
`
`[0068] Transient passwords do not permanently reside
`anywhere, including the authentication system 10 or even
`the computer system 20 beyond their transient life. The
`transient life may be selected by the user based on his/her
`personal habits in how long does it take them to log on to the
`system after they have requested a transient password. User
`specifies the set time at the time of pre-storing the user ID
`in the authentication system 10 via web page 420. The set
`time may be specified from a group of 15 seconds, 30
`seconds, 45 seconds, 60 seconds, one hour, one day, one
`month, and three month. The set time is based on user habits
`and the security needs of the system 20.
`
`[0069] The system interface function performs the tasks of
`(i) interfacing with the system 20, and (ii) sending user ID
`and the transient password to the system 20. The system
`interface function may use a special connect path to obtain
`access to the access control function 34 of the system 20.
`
`[0070] The system interface function enables a privileged
`and secure connection to the system 20 that allows the
`access control function 34 in the system 20 to receive from
`the authentication system 10, the user ID 12 and transient
`password 14. The system interface connection may be via
`the Internet or it may be a dedicated telephone line connec(cid:173)
`tion.
`
`[0071] The system interface function sends to the system
`20, a user's pre-stored user ID and the random pass code
`created on user demand. The access control function in the
`system 20 updates the existing password by the pass code.
`Subsequently, after waiting a set time, the system interface
`function sends the same pre-stored user ID and a null pass
`code to the system 20. The system 20 updates the password
`by the null pass code, ending the life of the pass code.
`
`[0072] Alternate Versions
`
`[0073] This invention may be practiced in different ver(cid:173)
`sions, as the systems have different security needs and the
`users have different habits. The access control function 34 of
`system 20 may have different versions allowing flexibility in
`how the passwords and pass codes are used.
`
`In one version, the authentication system 10 sends
`[0074]
`the user ID, the transient pass code and the set time all at the
`same time, avoiding a second or subsequent data interface to
`system 20. In this version the access control function 34 of
`the system 20, would run its own timer and after expiry of
`set time would disable the transient pass code. The access
`control function 34 may disable the transient pass code
`either upon first access or after set time expires.
`
`In other versions the access control function 34
`[0075]
`may be able to use either an existing password or a transient
`pass code. Three different versions are described here.
`
`In the first version a system may require only the
`[0076]
`transient pass code for gaining access to system 20. In the
`
`second version either the traditional password OR the tran(cid:173)
`sient pass code may be used by the user to gain access to the
`system 20. The access control function 34 is adapted to
`recognize, either the traditional password or the transient
`pass code as valid user verification, enabling those users
`who do not see a need to adopt the transient pass code, to
`continue to use the traditional password and those users who
`want to use the transient pass code, to also do so. In the third
`version both the traditional password AND the transient pass
`code may be required to gain access, as may be used in very
`high security systems.
`
`[0077] With reference to FIG. 2, log on web pages for
`some of the different versions are illustrated. Log in page
`210 requires the use of an existing password 14. User
`instructions 216 describe how the password is obtained by
`calling an 800 number using the user's cell phone. Log in
`page 220 requires the use of a transient pass code, as
`instructions 226 describes this feature of the log on proce(cid:173)
`dure.
`
`In yet another version, the password is in the form
`[0078]
`of a passkey. The passkey has embedded user identification
`and a random pass code. The passkey is sufficient both to
`identify the user and to verify the user to the system.
`
`[0079] As an illustration, take a banking application,
`where the bank computer system already has ability to
`respond to telephone calls by their customers, as well as to
`provide web-based online banking services, where a user ID
`and password is required, the user ID being in many cases
`a social security number.
`
`[0080] According to this invention, a user before logging
`on to the online bank system would call an 800 number of
`the bank. The bank would verify the caller ID with either the
`user home number or the cell telephone number, and request
`the PIN code, the same PIN code for an ATM card. On
`customer identification and verification, the authentication
`function lOA in the bank computer system 20 would gen(cid:173)
`erate a random number and append it to the user telephone
`number making it a passkey, send it to the user on the
`telephone, and send it to the access control function 34 of the
`system 20.
`
`In this version, there is no need for the user to open
`[0081]
`an account as with other versions described earlier because
`the banking system already has the data on the user of
`telephone number, name, e-mail address and the PIN.
`
`[0082] As illustrated in FIG. 2, log-in-page 230, the user
`would log on with a passkey 29 as one string, eliminating the
`user ID and password data entry fields. The access control
`function 34 would both identify the user 06 and verify the
`user with the passkey 29.
`
`[0083] As further illustration of this version, a user has a
`cell telephone number of 1-707 399 4333 and calls 1-800
`Bank One. The bank system asks for a PIN and the user
`enters a PIN of 1249, the same PIN used for an ATM or the
`last four digits of social security number. The authentication
`function lOA in the bank computer system identifies and
`verifies the user and creates a passkey of 7073994333-4345,
`where the first number is the cell telephone number and the
`last four digits are a random number created for this user for
`this transaction. The authentication function lOA commu(cid:173)
`nicates the passkey of 7073994333-4345 to the access
`control function 34. The authentication function lOA also
`
`TWILIO INC. Ex. 1009 Page 11
`
`

`
`US 2004/0203595 Al
`
`Oct. 14, 2004
`
`5
`
`communicates the passkey to the user 06. Since the user
`already knows the telephone number, there is no need to
`communicate that part of the passkey. Therefore the voice
`response may be "plus 3445. A time limit for which this
`passkey is useable may also be voice annunciated such as
`"plus3445 three minutes".
`
`obtaining the objective and providing the advantages herein
`before stated, it is to be understood that it is merely
`illustrative of the