(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2008/0120195 A1
`Shakkarwar
`(43) Pub. Date:
`May 22, 2008
`
`US 20080120195A1
`
`(54) SYSTEMS AND METHODS FOR
`IDENTIFICATION AND AUTHENTICATION
`OF A USER
`
`(76) Inventor:
`
`Rajesh G. Shakkarwar, Cupertino,
`CA (Us)
`
`Correspondence Address:
`PATTERSON & SHERIDAN, LLP
`3040 POST OAK BOULEVARD, SUITE 1500
`HOUSTON, TX 77056
`
`(21) Appl. No.:
`
`11/562,353
`
`(22) Filed:
`
`Nov. 21, 2006
`
`Publication Classi?cation
`
`(51) Int. Cl.
`G06Q 20/00
`G06Q 30/00
`
`(2006.01)
`(2006.01)
`
`E
`
`(52) us. CI. ................................ .. 705/26; 705/1; 705/35
`
`(57)
`
`ABSTRACT
`
`The present invention generally relates to a computer security
`system for use in the identi?cation and authentication of a
`user prior to an on-line transaction. In one aspect, a method
`for facilitating a secure transaction over a network is pro
`vided. The method includes collecting a usemame and pass
`word associated with a user of the machine. The method
`further includes verifying that the usemame and password
`matches a previously collected username and password in an
`identity pro?le. The method also includes collecting device
`data from a user machine to uniquely identify the machine.
`Additionally, the method includes verifying that the device
`data matches previously collected device data in the identity
`pro?le. In another aspect, a computer-readable medium
`including a set of instructions that when executed by a pro
`cessor cause the processor to facilitate a secure transaction
`over a network is provided. In yet a further aspect, a system
`for facilitating a secure transaction is provided.
`
`USER ACCESSES AN ENROLLMENT WEBPAGE
`I
`ASK USER sPECIFIC PERSONAL QUEsTIONs
`
`, 205
`
`/ 210
`
`215
`
`IDENTITY
`INFORMATION
`MATCH?
`
`220
`(
`EXCEPTION
`PROCESS
`
`DOWNLOAD AGENT TO UsER MACHINE
`I
`SELECT USER NAME & PASSWORD -
`FIRST FACTOR OF AUTHENTICATION
`I
`EXTRACT UNIQUE INFORMATION FROM THE
`MACHINE - SECOND FACTOR OF AUTHENTICATION
`I
`OBTAIN BIOMETRIC INFORMATION FROM USER -
`THIRD FACTOR 0F AUTHENTICATION
`I
`BIND USER IDENTITY WITH THE USER
`IDENTITY PROFILE
`I
`sTORE IDENTITY PROFILE IN THE
`AUTHENTICATION SERVER
`
`f225
`
`,230
`
`,235
`
`/240
`
`245
`
`,250
`
`APPLE EXHIBIT 1009
`Page 1 of 18
`
`

`

`Patent Application Publication May 22, 2008 Sheet 1 0f 9
`
`US 2008/0120195 A1
`
`om?
`
`m:
`
`MIEOWE
`
`mow
`
`APPLE EXHIBIT 1009
`Page 2 of 18
`
`

`

`Patent Application Publication May 22, 2008 Sheet 2 0f 9
`
`US 2008/0120195 A1
`
`@
`
`USER ACCESSES AN ENROLLMENT WEBPAGE f 205
`I
`ASK USER SPECIFIC PERSONAL QUESTIONS
`
`f 210
`
`215
`
`IDENTITY
`INFORMATION
`MATCH?
`
`r220
`EXCEPTION
`PROCESS
`
`DOWNLOAD AGENT TO USER MACHINE
`I
`SELECT USER NAME & PASSWORD -
`FIRST FACTOR OF AUTHENTICATION
`I
`EXTRACT UNIQUE INFORMATION FROM THE
`MACHINE - SECOND FACTOR OF AUTHENTICATION
`I
`OBTAIN BIOMETRIC INFORMATION FROM USER -
`THIRD FACTOR OF AUTHENTICATION
`I
`BIND USER IDENTITY WITH THE USER
`IDENTITY PROFILE
`I
`STORE IDENTITY PROFILE IN THE
`AUTHENTICATION SERVER
`
`/225
`
`,230
`
`[235
`
`f24O
`
`f245
`
`;250
`
`FIG. 2
`
`APPLE EXHIBIT 1009
`Page 3 of 18
`
`

`

`Patent Application Publication May 22, 2008 Sheet 3 0f 9
`
`US 2008/0120195 A1
`
`COLLECT USER NAME AND/OR
`PASSWORD -
`FIRST FACTOR OF AUTHENTICATION
`
`/ 305
`
`310
`
`IDENTIFY
`INFORMATION
`MATCH?
`
`NO
`
`EXCEPTION f 315
`PROCESS
`
`COLLECT IDENTITY INFORMATION
`ABOUT USER MACHINE -
`SECOND FACTOR OF AUTHENTICATION
`I
`COLLECT BIOMETRIC IDENTITY
`INFORMATION
`THIRD FACTOR OF AUTHENTICATION
`I
`VERIFY IDENTITY INFORMATION
`WITH IDENTITY PROFILE
`PREVIOUSLY STORED IN THE
`AUTHENTICATION SERVER
`
`335
`
`IDENTIFY
`INFORMATION
`MATCH?
`
`NO
`
`EXCEPTION
`PROCESS
`
`ALLOW ACCESS
`
`FIG. 3
`
`APPLE EXHIBIT 1009
`Page 4 of 18
`
`

`

`Patent Application Publication May 22, 2008 Sheet 4 0f 9
`
`US 2008/0120195 A1
`
`COLLECT USER NAME AND/OR
`PASSWORD -
`FIRST FACTOR OF AUTHENTICATION
`
`/ 405
`
`410
`
`IDENTIFY
`INFORMATION
`MATCH?
`
`NO
`
`EXCEPTION f 415
`PROCESS
`
`420\
`
`COLLECT IDENTITY INFORMATION
`ABOUT USER MACHINE -
`SECOND FACTOR OF AUTHENTICATION
`I
`COLLECT BIOMETRIC IDENTITY
`INFORMATION
`THIRD FACTOR OF AUTHENTICATION
`I
`VERIFY IDENTITY INFORMATION
`WITH IDENTITY PROFILE
`PREVIOUSLY STORED IN THE
`AUTHENTICATION SERVER
`
`435
`
`IDENTIFY
`INFORMATION
`MATCH?
`
`NO
`
`EXCEPTION f 440
`PROCESS
`
`445\
`
`CONNECT TO USER FINANCIAL
`INSTITUTION SERVER
`
`I
`
`TO FIG. 4B
`STEP 450
`
`FIG. 4A
`
`APPLE EXHIBIT 1009
`Page 5 of 18
`
`

`

`Patent Application Publication May 22, 2008 Sheet 5 0f 9
`
`US 2008/0120195 A1
`
`FROM FIG. 4A
`STEP 445
`
`400
`—
`
`450 \
`
`455
`\
`
`OBTAIN ACCOUNT INFORMATION FROM
`FINANCIAL INSTITUTION SERVER
`
`II
`SELECT ACCOUNT FOR PAYMENT
`
`460
`\
`
`I
`CREATE ONE-TIME USE PERSONAL ACCOUNT NUMBER
`
`465
`\
`
`470
`\
`
`475 \
`
`480 \
`
`485 \
`
`I
`ENTER ONE-TIME USE PERSONAL ACCOUNT
`NUMBER IN THE MERCHANT WEBPAGE
`
`II
`SEND ONE-TIME USE PERSONAL ACCOUNT
`NUMBER TO PAYMENT PROCESSOR
`
`II
`EXTRACT SERVER DATA FROM ONE-TIME
`USE PERSONAL ACCOUNT NUMBER
`
`II
`SEND ONE-TIME USE PERSONAL ACCOUNT NUMBER AND
`TRANSACTION DETAILS TO THE AUTHENTICATION SERVER
`
`II
`REPLACE ONE-TIME USE PERSONAL ACCOUNT NUMBER
`WITH USER REAL PERSONAL ACCOUNT NUMBER
`
`I
`
`490 \ SEND REAL PERSONAL ACCOUNT NUMBER & TRANSACTION DETAILS
`TO USER FINANCIAL INSTITUTION FOR AUTHORIZATION
`
`495
`
`II
`SEND AUTHORIZATION TO PAYMENT PROCESSOR
`
`II
`498 \ SETTLEMENT IS MADE BETWEEN USER FINANCIAL INSTITUTION
`AND MERCHANT FINANCIAL INSTITUTION
`
`FIG. 4B
`
`APPLE EXHIBIT 1009
`Page 6 of 18
`
`

`

`Patent Application Publication May 22, 2008 Sheet 6 0f 9
`
`US 2008/0120195 A1
`
`03
`
`ow?
`
`W m9.
`
`
`
`m:\/\ mzmoma
`
`m .QE
`
`cm?
`
`
`
`0mm molm
`
`M mm?
`
`W o5
`
`mom
`
`APPLE EXHIBIT 1009
`Page 7 of 18
`
`

`

`Patent Application Publication
`
`00
`
`eh
`
`1A59
`
`
`
`2.,@5358
`
`o:
`
`AAp
`
`Igg
`
`._.Z.u.__>_><n_
`
`_m_ocm:_n_
`
`8:255
`
`
`
`
`
`23%50>8.5w2.$353wm5$2525%:.>.M932IEwing«Wu“Mg—“Mu.95:99588Eoz.5xom50m“52%a.m5.
`
`
`W58$53E3:552A32.53EmcawSe3&4.
`s|
`
`Em:
`
`mNm
`
`G
`
`
`
`Easems.v00"cofigmmawm.m:____nmc_&_fi>
`a9.85258.Emzo_me.e=umm\\m%;23g@AVE85229:
`
`mm;mg;0.203HG OOO
`E5wasgamma
`
`5m2%58
`2.2.5SEa.2H5
`
`
`
`
`
`.m28£85mg;528Ea£5EM.»cozmefisEmimm
`
`
`
`
`
`
`
`.22is28En5;ES825%ma28.2222).a:28E.520an8%8E:28EmSo2:0
`
`
`
`1fl0.3553ENE.88:3550>aEmEBm—mnnESE5559>:0$2289:Sofie
`fiaE$32595550>m0.O_“—:ofiEaEES“520E93DEma:m$22255E_was:552228go:55%52mg:I..5:;mDH—mmeug
`
`
`
`m=____mS558Emt¢u%am.52SmUEE288:23m5_25:.__H_E<535:2$82
`
`
`3:83Em8cmEm>c85395::m5Ammomams22%;05.o532%in.283@555;Essex95:H595298H325228:5
`
`APPLE EXHIBIT 1009
`
`Page 8 of 18
`
`APPLE EXHIBIT 1009
`Page 8 of 18
`
`
`
`
`
`

`

`Patent Application Publication May 22, 2008 Sheet 8 0f 9
`
`US 2008/0120195 A1
`
`mom
`
`o:
`
`AA»
`
`mmo
`
`EQQEEEQE
`
`
`
`mm; m9; 5x02, 8
`
`GOP
`
`APPLE EXHIBIT 1009
`Page 9 of 18
`
`

`

`Patent Application Publication
`
`May 22, 2008 Sheet 9 0f 9
`
`US 2008/0120195 A1
`
`
`
`
`
`beam—8385m:9sz
`
`mum”..235
`
`3:38853.2
`9.5%.:22>xmwfim
`
`
`
`
`
`
`
`
`:85><a98¢m85%;35:25€588
`
`
`
`
`
`meg6:35ngSofia”8:28
`
`
`
`
`
`A:5me
`
`ozazmmmEmfiflm
`
`><|oOH
`
`.5835%ES:
`
`
`
`mom\\Ng§/fl//
`
`
`A:0:=53/zo_SEmz_\«EaHE5:,Sea
`/\n282.222225.ES/\28:85a5;E
`
`m5
`
`ovw
`
`$830.a22%;05
`
`
`
`><m2=8m”.253228
`
`nIEU
`28SEE
`
`w.9“.
`
`
`
`
`
` cofieégES:85EmamIwmeuu<:____m%m__mweugC____muu<fl
`
`aeg<m=____m
`
`
`ES:3550>:0$9259:EEE«was.322%.95.350>
`
`.uoEmu3>9:E8:8359:0EmEBEw
`
`
`
`
`
`
`I._.__>_wZIOw.._.2w_>_><n_02_www001n_
`
`._.z.n.__>_><n_
`
`_m_o:m:_n_
`
`22:;sz
`
`mmw
`
`C
`
`Ea"cozogmwamqm:___3m:_&_fi=
`238558.Emfisaéaméwqfi8aaQ@
`
`EooucmchE
`
`OOO
`
`
`
`damnmmmsms3=_32%23:5
`
` 2oz8xomgoaEzfl
`
`
`
`mm;we;SmogGU
`
`35was238
`
`8%“85=5
`
`0%Eu::8
`mm.2mum
`
`$22HE
`
`.985g355839:23:gas
`
`2.8$25:Eu
`
`m<
`
`a;.520:58w:85:28Em252:0
`.22is28:55%9%:Sm__m.%
`
`D285:2$82H2:95
`
`a28go5;E5E33%
`
`28Ew5:,E8:252Email
`
`APPLE EXHIBIT 1009
`
`Page 10 of 18
`
`APPLE EXHIBIT 1009
`Page 10 of 18
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`US 2008/0120195 A1
`
`May 22, 2008
`
`SYSTEMS AND METHODS FOR
`IDENTIFICATION AND AUTHENTICATION
`OF A USER
`
`BACKGROUND OF THE INVENTION
`
`[0001] 1. Field of the Invention
`[0002] The present invention generally relates to computer
`security and more speci?cally to systems and methods for
`identifying and authenticating a user.
`[0003] 2. Description of the Related Art
`[0004] Internet commerce has increased dramatically over
`the last several years. As a result, several different on-line
`payment methods have been created. In one payment method,
`the buyer simply types a credit card number into an on-line
`payment Webpage to pay for the goods or services provided
`by an on-line merchant. In another payment method, the
`buyer uses an on-line payment service to pay for the goods or
`services provided by an on-line merchant. The on-line pay
`ment service alloWs the buyer to pay the on-line merchant via
`the Internet using funds that are available in a bank account or
`on a credit card. The on-line payment service holds the
`account information, not the on-line merchant, and therefore
`the on-line payment service may protect the buyer from
`unlaWful use of the buyer’s account.
`[0005] Even though on-line payment services are effective
`in providing a more secure means of on-line payment
`betWeen the buyer and the on-line merchant as compared to
`paying by a credit card number or a personal check, on-line
`payment services typically require a single factor of authen
`tication to verify that the buyer is actually the oWner of the
`account. For example, the on-line payment service may
`require the buyer to input an email address and a passWord to
`make an on-line payment. HoWever, the single factor of
`authentication, such as the email address and passWord, can
`be easily stolen by a computer hacker. This may result in the
`unlaWful use of the buyer’s account, Which is a common form
`of identity theft.
`[0006] In addition to Internet commerce, many banks noW
`offer on-line banking Which alloWs customers to access their
`accounts via the Internet. On-line banking alloWs a customer
`to perform routine transactions, such as account transfers,
`balance inquiries, bill payments, and stop-payment requests
`from a remote computer. In addition, some banks alloW their
`customers to apply for loans and credit cards on-line as Well.
`Similar to on-line payment services, to access the account
`information or apply for a loan or a credit card on-line, a bank
`usually requires only one factor of authentication to verify
`that an on-line customer is actually the oWner of the account.
`For example, the bank may require the customer to input a
`usemame and a passWord to access the account. Again, the
`single factor of authentication, such as the usemame and
`passWord, can be easily stolen by a computer hacker, Which
`may result in the unlaWful use of the customer’s account.
`[0007] As the foregoing illustrates, there is a need in the art
`for a Way to verify the identities of on-line customers that is
`more secure than current approaches.
`
`SUMMARY OF THE INVENTION
`
`[0008] The present invention generally relates to a com
`puter security system for use in the identi?cation and authen
`tication of a user prior to an on-line transaction. In one aspect,
`a method for facilitating a secure transaction over a netWork
`is provided. The method includes collecting a username and
`
`passWord associated With a user of the machine. The method
`further includes verifying that the usemame and passWord
`matches a previously collected username and passWord in an
`identity pro?le. The method also includes collecting device
`data from a user machine to uniquely identify the machine.
`Additionally, the method includes verifying that the device
`data matches previously collected device data in the identity
`pro?le.
`[0009] In another aspect, a computer-readable medium
`including a set of instructions that When executed by a pro
`cessor cause the processor to facilitate a secure transaction
`over a netWork is provided. The processor performs the step
`collecting a usemame and passWord associated With a user of
`the machine. The processor also performs the step of trans
`mitting the usemame and passWord to a server machine in
`order to verify that the username and passWord matches a
`previously collected username and passWord in an identity
`pro?le. Further, the processor performs the step of collecting
`device data from a user machine to uniquely identify the
`machine. Additionally, the processor performs the step of
`transmitting the device data to the server machine in order to
`verify that the device data matches a previously collected
`device data in the identity pro?le.
`[0010] In yet a further aspect, a system for facilitating a
`secure transaction is provided. The system includes a com
`puting device having a processor and a memory, Wherein the
`memory includes a security agent program con?gured to
`collect a usemame and passWord associated With a user of the
`computing device and transmit the usemame and passWord.
`The security agent is also con?gured to collect device data
`from the computing device to uniquely identify the comput
`ing device and transmit the device data. The system further
`includes a server machine that includes a user pro?les data
`base and con?gured to receive the username and passWord
`from the computing device and verify that the usemame and
`passWord matches previously collected usemame and pass
`Word in the identity pro?le stored in user pro?les database.
`The server machine is further con?gured to receive the device
`data from the computing device and verify that the device data
`matches previously collected device data in an identity pro?le
`stored in user pro?les database.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0011] So that the manner in Which the above recited fea
`tures of the present invention can be understood in detail, a
`more particular description of the invention, brie?y summa
`riZed above, may be had by reference to embodiments, some
`of Which are illustrated in the appended draWings. It is to be
`noted, hoWever, that the appended draWings illustrate only
`typical embodiments of this invention and are therefore not to
`be considered limiting of its scope, for the invention may
`admit to other equally effective embodiments.
`[0012] FIG. 1 is a conceptual block diagram of a system
`con?gured to identify and authenticate the identity of a user,
`according to one embodiment of the invention.
`[0013] FIG. 2 is a How chart ofmethod steps for enrolling a
`user in a security service, according to one embodiment of the
`invention.
`[0014] FIG. 3 is a How chart of method steps for securely
`accessing a user account, according to one embodiment of the
`invention.
`[0015] FIGS. 4A and 4B are a How chart of method steps for
`making a secured payment, according to one embodiment of
`the invention.
`
`APPLE EXHIBIT 1009
`Page 11 of 18
`
`

`

`US 2008/0120195 A1
`
`May 22, 2008
`
`[0016] FIG. 5 is a conceptual block diagram of a system
`through Which a secured payment may be made, according to
`one embodiment of the invention.
`[0017] FIGS. 6-8 are conceptual illustrations depicting
`hoW the security agent of FIG. 1 interacts With a merchant
`payment Web page When a secured payment is made, accord
`ing to one embodiment of the invention.
`
`DETAILED DESCRIPTION
`
`[0018] In general, the invention relates to a computer secu
`rity system for use in the identi?cation and authentication of
`a user prior to an on-line transaction. The system Will be
`described herein in relation to a single user. However, it
`should be understood that the systems and methods described
`herein may be employed With any number of users Without
`departing from the principles of the present invention. The
`description of the invention is separated into four sections: the
`architecture, the enrollment process, a secure access transac
`tion, and a secure payment transaction. To better understand
`the novelty of the system of the present invention and the
`methods of use thereof, reference is hereafter made to the
`accompanying draWings.
`[0019] Architecture
`[0020] FIG. 1 is a conceptual block diagram of a system
`100 con?gured to identify and authenticate the identity of a
`user, according to one embodiment of the invention. The
`system 100 includes a user machine 105, Which may be any
`type of individual computing device such as, for example, a
`desk-top computer, a lap-top computer, a hand-held phone
`device, or a personal digital assistant. Generally, the user
`machine 105 is con?gured to be a communication link
`betWeen the user and the other components in the system 100.
`The user machine 105 includes a security agent 110. Gener
`ally, the security agent 110 is a softWare entity that runs on the
`user machine 105. As described in further detail herein, the
`security agent 110, among other things, is con?gured to cre
`ate an identity pro?le 115 of a user and of user machine 105,
`collect certain data from the user machine 105 or manage
`secure access or secure payment transactions made from user
`machine 105.Additionally, the security agent 110 is designed
`to offer protection against phishing, pharming, Trojan pro
`grams or Worms.
`[0021] As also shoWn, the user machine 105 includes the
`pro?le 115, Which represents the identity of the user. The
`pro?le 115 is unique for each user. As described in further
`detail herein, once the pro?le 115 has been created for the
`user, the identity of the user can be subsequently veri?ed by a
`series of interactions betWeen the security agent 110 and the
`authentication server 125 based on the pro?le 115. The pro?le
`115 includes data about the user and the user machine 105 and
`can be used to establish a multifactor identi?cation for the
`user Whenever the user attempts to conduct transactions via
`the user machine 105. The ?rst factor of authentication is a
`usemame and/or passWord, Which relates to “What the user
`knows.” The second factor of authentication is unique infor
`mation about the user machine 105, Which relates to “What the
`user has.” The third factor of authentication is unique infor
`mation about the user, such as biometric identity, Which
`relates to “Who the user is.”
`[0022] As Will be discussed beloW in the enrollment pro
`cess, the usemame and/or passWord is created by the user
`after the identity of the user is established. The usemame
`and/or passWord are typically a combination of characters
`and numbers, Which the user can easily remember. In one
`
`embodiment, the user machine 105 transmits the usemame
`and/or passWord in a cryptographically protected form, so
`access to the actual username and/or passWord Will be dif?
`cult for a snooper Who gains internal access to the user
`machine 105.
`[0023] With respect to the second factor of authentication,
`the unique information about the user machine 105 is gener
`ally a combination of select information associated With the
`user machine 105. The information may be static or dynamic.
`For instance, the information may include the International
`Mobile Equipment Identity (IMEI), Which is a number unique
`to every mobile phone, the International Mobile Subscriber
`Identity (IMSI), Which is a unique number associated With
`netWork mobile phone users, and/or the geolocation of the
`user machine 105, Which is a real-World geographic location
`of a netWork connected computer or mobile device. The infor
`mation about the user machine 105 may also include
`machine-level attributes. For instance, the information may
`include various parameters available through a PCI con?gu
`ration space, like the Device ID or the Vendor ID for different
`system devices, the data residing in the SMM memory space,
`or other memory hardWare attributes, such as memory type,
`memory clock speed, amount of memory, hard drive serial
`number, siZe of hard drive, maker of hard drive etc., and/or
`chipset information or graphics card information, Which can
`be used to read hidden and/ or unhidden registers Within those
`subsystems. Further, the information may include data at
`different locations in ?rmWare or BIOS or information avail
`able in a Microcode patch or a checksum of a portion of the
`?rmWare Within the user machine 105.
`[0024] In addition to the foregoing, the information about
`the user machine 105 may also be system-level attributes. For
`instance, the information may include a MAC address, hard
`drive serial number, hardWare con?guration information,
`such as interrupt routing, GPIO routing, PCI Device Select
`routing or a hardWare con?guration map, operating system
`registry, CPU type, CPU version or CPU clock speed. The
`information about the user machine 105 may also include
`system pattern extraction. For instance, the information may
`include a directory structure and/ or a list of installed applica
`tions, such as a Word processor or other computer tools.
`[0025] The third factor of authentication consists of unique
`information about the user, such as a biometric identity. The
`biometric data may include the speci?c typing pattern of the
`user since each user’s typing behavior is unique. Typically,
`typing authentication Works by requesting that a user seeking
`access to a computer or a passWord-protected ?le just type a
`short passage into the computer so that the user’s typing
`pattern can be analyZed and matched against a knoWn pattern.
`Additionally, the biometric data may also be generated by a
`biometric device, such as a ?ngerprint device or an iris pattern
`device, included Within the user machine 105.
`[0026] The system 100 further includes a netWork 120,
`Which may be any type of data netWork, such as a local area
`netWork (LAN), a metropolitan area netWork (MAN), a Wide
`area netWork (WAN), or the Internet. The netWork 120 is
`con?gured to act as a communication pathWay betWeen the
`user machine 105, the authentication server 125, and an insti
`tution server 140. The authentication server 125 stores a copy
`of the pro?le 115 generated during the enrollment process in
`a user pro?les database 130. Additionally, the authentication
`server 125 interacts With the agent 110 via the netWork 120
`during the secure access transaction and the secure payment
`transaction, as described beloW. The institution server 140
`
`APPLE EXHIBIT 1009
`Page 12 of 18
`
`

`

`US 2008/0120195 A1
`
`May 22, 2008
`
`stores sensitive information for the user e. g. ?nancial account
`information, con?dential data, etc. The institution server 140
`may be part of a bank, a building society, a credit union, a
`stock brokerage, or other businesses holding sensitive data.
`Generally, the institution server 140 interacts With the agent
`110 via the netWork 120 during the enrollment process, a
`secure access transaction or a secure payment transaction, as
`described beloW.
`[0027] Enrollment Process
`[0028] FIG. 2 is a How chart of method steps for enrolling a
`user in a security service, according to one embodiment of the
`invention. Although the method steps are described in the
`context of the system of FIG. 1, any system con?gured to
`perform the method steps, in any order, is Within the scope of
`the invention. Generally, the enrollment process 200 is used to
`verify the identity of the user, establish multi-factors of
`authentication and bind the veri?ed identity of the user to the
`multi-factors of authentication. As Will be discussed herein,
`verifying the user identity during the enrollment process 200
`may include having the user ansWer speci?c personal ques
`tions e.g. amount of last check deposited, date of last With
`draWal, previous residential address, etc. The ansWers are
`then checked against a knoWn ansWer from a data source,
`such as the institution and/ or third party consumer data base
`to verify that the user is Who the user claims to be. Some
`examples of the multi factors of authentication areithe iden
`ti?cation of the user, the identi?cation of the machine, the
`biometric identity of the user, etc. It should be noted that the
`enrollment process is a one-time process for each user. After
`the enrollment process 200 is complete, the user is able to
`perform the secure access transaction 300 or the secure pay
`ment transaction 400, described beloW, Without having to
`repeat the enrollment steps. The process of verifying identity
`signi?cantly reduces the chance of a malicious party claiming
`to be the user. The process of binding the veri?ed identity to
`the multi-factors of authentication eliminates the cumber
`some process of proving the identity of the user at every
`transaction While providing the same level of security as
`though the user ansWered the identity questions, such as the
`speci?c personal questions each time.
`[0029] The enrollment process 200 begins in step 205,
`Where the user accesses an enrollment Webpage. In one
`embodiment, the enrollment Webpage is generated by the
`institution server 140 and doWnloaded to the user machine
`105 When the user attempts to electronically access an
`account held With the institution. The enrollment Webpage is
`con?gured to educate the user about the enrollment process
`and subsequently start the user identi?cation process of step
`210.
`[0030] In step 210, the user is asked speci?c personal ques
`tions in Which only the user knoWs the ansWer in order to
`generate a veri?ed user identity. The questions may relate to
`dynamic data that frequently changes and is knoWn only by
`the institution, such as “When Was your last deposit,” “What
`Was the last check number,” “Who Was the check Written to” or
`“Who last deposited money in the ?nancial institution”, “What
`Was your last take home pay amount.” The personal questions
`may relate to static data that does not change, such as “What
`car did you drive before your current car,” “What is your social
`security number, date of birth, mother’ s maiden name” or
`“What address did you live at before your current address.” In
`step 215, the ansWers given by the user is compared to knoWn
`ansWers in a data source, such as data at the institution or data
`held at third party data bases, to verify the identity of the user.
`
`If the ansWers do not match the knoWn ansWers in the data
`source, then, in step 220, an exception process is activated.
`The exception process may include a veri?cation of the user
`over the phone. Additionally, the exception process may
`include the user making a personal appearance at a speci?c
`location. The exception process in step 220 may be any type
`of process knoWn in the art to verify the identity of the user.
`[0031] In step 225, the security agent 110 is doWnloaded to
`the user machine 105 after the identity of the user is estab
`lished. In one embodiment, the security agent 110 is doWn
`loaded directly from the institution server 140 via the netWork
`120. In another embodiment, the security agent 110 is doWn
`loaded via the netWork 120 from the authentication server
`125. In any case, the security agent 110 is con?gured to
`interact With both the authentication server 125 and the insti
`tution server 140.
`[0032] In step 230, a user name and passWord is selected to
`establish the ?rst factor of authentication. In one embodi
`ment, the user selects the user name and passWord. In another
`embodiment, the authentication server 125 or the institution
`sever 140 generates the user name and/or the passWord. In any
`case, the user name and/or passWord are used during the
`secure access transaction 300 and the secure payment trans
`action 400, described beloW.
`[0033] In step 235, unique information from the user
`machine 105 is extracted by the security agent 110 to estab
`lish the second factor of authentication. As set forth above, the
`information may include any number of different types of
`data associated With the user machine 105. Again, the infor
`mation may include the IMEI or the IMSI Which relate to
`mobile devices. The information may include the geolocation
`of the user machine 105. The information may also include
`machine level attributes, such as a Device ID, a Vendor ID,
`data at a SMM memory space, a memory type, a memory
`clock, hard drive serial number, chipset information, data at
`different locations in ?rmWare, or information available in
`Microcode patch, a checksum of ?rmWare, or BIOS. Further,
`the information may include system level attributes, such as a
`MAC address, a hard drive serial number, interrupt routing,
`GPIO routing, PCI DevSel routing, a map of hardWare con
`?guration, or an operating system registry. Additionally, the
`information may relate to system pattern extraction, such as a
`directory structure or a list of installed applications. No mat
`ter What type of select data is extracted from the user machine
`105, the data or a combination of different types of data
`should be unique to the user machine 105 in order to establish
`the second factor of authentication.
`[0034] In step 240, the biometric information is collected in
`order to establish the third factor of identity. As set forth
`herein, the biometric data may include speci?c typing pat
`terns of the user or biometric data generated by a biometric
`device, such as a ?ngerprint device or an iris pattern device.
`Although each factor of authentication Was discussed in steps
`230, 235 and 240, it should be understood, hoWever, that any
`of the factors may be an optional factor of authentication in
`the enrollment process 200 Without departing from principles
`of the present invention.
`[0035] In step 245, the veri?ed user identity from step 215
`is connected (or bound) to the the user identity pro?le 115
`Which generally comprises the data collected in steps 230
`240. The connecting (or binding) of the veri?ed user identity
`to the factors of authenication alloWs the user to engage in the
`secure access transaction 300 or the secure payment transac
`tion 400 Without having to repeat the enrollment steps. In
`
`APPLE EXHIBIT 1009
`Page 13 of 18
`
`

`

`US 2008/0120195 A1
`
`May 22, 2008
`
`other Words, the binding of the identity With the factors of
`authenication eliminates the cumbersome process of proving
`the identity of the user at every transaction While providing
`the same level of security as though the user ansWered the
`identity questions (the speci?c personal questions) every
`time.
`[0036] In step 250, a copy of the pro?le 115 is stored in the
`user pro?les database 130 in the authentication server 125.
`During the secure access transaction 300 and the secure pay
`ment transaction 400, the security agent 1 1 0 interacts With the
`authentication server 125 by comparing the data from the user
`and the user machine With the user pro?le 115 stored in the
`user pro?les database 130 to establish the identity of the user
`before proceeding With the transaction. It should be noted that
`in one embodiment the user is able to use the secure access
`transaction 300 and the secure payment transaction 400 With
`out providing any sensitive personal data, such as a credit card
`number, a debit card number, etc. In another embodiment, the
`user interacts directly With an institution to verify the identity
`of the user. Then the institution issues a one-time credential,
`such as an account number and/or passWord. The one-time
`credential is used during the authentication process of the
`user to establish the identity of the user before proceeding
`With the secure access transaction 300 or the secure payment
`transaction 400.
`[0037] Secure Access Transaction
`[0038] FIG. 3 is a How chart of method steps for securely
`accessing a user account, according to one embodiment of the
`invention. Although the method steps are described in the
`context of the system illustrated in FIG. 1, any system con
`?gured to perform the method steps in any order is Within the
`scope of the invention. Generally, the secure access transac
`tion 300 is a transaction Where the user attempts to electroni
`cally access an account held at the institution via the institu
`tion server 140. Some examples of an institution may be a
`?nancial institution, a government agency, a medical institu
`tion or a business. During the secure access transaction 300,
`the security agent 110 interacts With the authentication server
`125 via the netWork 120 to ensure that the user is properly
`authenticated prior to giving the user access to the relevant
`accounts held at the institution.
`[0039] The secure access transaction 300 begins With the
`security agent 110 interacting With the user at a log-on
`Webpage of the institution. In one embodiment, the security
`agent 110 automatically activates after the security agent 110
`detects the lo g-on Webpage of the institution. For instance, the
`security agent may detect the institution log-on Webpage by
`reading the source code of the Webpage, such as the HTML
`code or by reading a trigger, such as a header or an identi?
`cation number embedded in the log-on W