as) United States
`a2) Patent Application Publication 10) Pub. No.: US 2008/0120195 Al
` Shakkarwar (43) Pub. Date: May 22, 2008
`
`
`
`US 20080120195A1
`
`(54) SYSTEMS AND METHODS FOR
`IDENTIFICATION AND AUTHENTICATION
`OF A USER
`
`(76)
`
`Inventor:
`
`Rajesh G. Shakkarwar, Cupertino,
`CA (US)
`
`Correspondence Address:
`PATTERSON & SHERIDAN,L.L.P.
`3040 POST OAK BOULEVARD,SUITE 1500
`HOUSTON, TX 77056
`
`(21) Appl. No.:
`
`11/562,353
`
`(22)
`
`Filed:
`
`Nov. 21, 2006
`
`Publication Classification
`
`(51)
`
`Int. Cl.
`G06 20/00
`G060 30/00
`
`(2006.01)
`(2006.01)
`
`200
`
`(52) USe CM. cecccccssssssssseseesssseseseee 705/26; 705/1; 705/35
`
`(57)
`
`ABSTRACT
`
`The present invention generally relates to a computer security
`system for use in the identification and authentication of a
`user prior to an on-line transaction. In one aspect, a method
`for facilitating a secure transaction over a network is pro-
`vided. The method includes collecting a usernameandpass-
`word associated with a user of the machine. The method
`
`further includes verifying that the username and password
`matchesa previously collected username and password in an
`identity profile. The method also includes collecting device
`data from a user machine to uniquely identify the machine.
`Additionally, the method includes verifying that the device
`data matches previously collected device data in the identity
`profile.
`In another aspect, a computer-readable medium
`including a set of instructions that when executed by a pro-
`cessor cause the processor to facilitate a secure transaction
`over a network is provided. In yet a further aspect, a system
`for facilitating a secure transaction is provided.
`
`
`
`USER ACCESSES AN ENROLLMENT WEBPAGE
`
`r 205
`
`ASK USER SPECIFIC PERSONAL QUESTIONS
`
`y 210
`
`220
`
`
`IDENTITY
`
`EXCEPTION
`
`INFORMATION
`
`
`PROCESS
`MATCH?
`
`
`
`
`
`
`
`7230
`
`
`
`
`
`225
`DOWNLOAD AGENT TO USER MACHINE
`
`
`SELECT USER NAME & PASSWORD-
`FIRST FACTOR OF AUTHENTICATION
`
`
`
`
`EXTRACT UNIQUE INFORMATION FROM THE
`MACHINE - SECOND FACTOR OF AUTHENTICATION
`
`OBTAIN BIOMETRIC INFORMATION FROM USER-=|-240
`THIRD FACTOR OF AUTHENTICATION
`
`
`
`
`BIND USER IDENTITY WITH THE USER
`IDENTITY PROFILE
`250
`
`[235
`
`245
`
`
`
`STOREIDENTITY PROFILE IN THE
`AUTHENTICATION SERVER
`
`APPLE EXHIBIT 1107
`Page 1 of 18
`
`APPLE EXHIBIT 1107
`Page 1 of 18
`
`

`

`Patent Application Publication May 22,2008 Sheet 1 of 9
`
`US 2008/0120195 Al
`
` 140
`
`
`z
`Oo
`oe
`mw
`ow
`Lu 2
`Y
`Yost
`Es
`WW of
`zoe
`nk eae
`by WwW
`SOF
`=A
`re
`E
`a0
`>
`<x
`
`
`
`8
`~~
`
`100
`
`INSTITUTION
`
`
`2
`oO
`=
`
`
`SECURITY
`AGENT
`
`
`LO
`oO—
`
`APPLE EXHIBIT 1107
`Page 2 of 18
`
`APPLE EXHIBIT 1107
`Page 2 of 18
`
`

`

`Patent Application Publication May 22,2008 Sheet 2 of 9
`
`US 2008/0120195 Al
`
`200
`
`USER ACCESSES AN ENROLLMENT WEBPAGE
`
`205
`
`ASK USER SPECIFIC PERSONAL QUESTIONS
`
`210
`
`
`215
`
` IDENTITY
`
`
`INFORMATION
`
`MATCH?
`
`YES
`
`NO
`
`220
`
`EXCEPTION
`PROCESS
`
`DOWNLOAD AGENT TO USER MACHINE
`
`SELECT USER NAME & PASSWORD-
`FIRST FACTOR OF AUTHENTICATION
`
`EXTRACT UNIQUE INFORMATION FROM THE
`MACHINE - SECOND FACTOR OF AUTHENTICATION
`
`228
`
`230
`
`235
`
`OBTAIN BIOMETRIC INFORMATION FROMUSER-|-240
`THIRD FACTOR OF AUTHENTICATION
`
`BIND USERIDENTITY WITH THE USER
`IDENTITY PROFILE
`
`STORE IDENTITY PROFILE IN THE
`AUTHENTICATION SERVER
`
`245
`
`250
`
`FIG. 2
`
`APPLE EXHIBIT 1107
`Page 3 of 18
`
`APPLE EXHIBIT 1107
`Page 3 of 18
`
`

`

`Patent Application Publication May 22,2008 Sheet 3 of 9
`
`US 2008/0120195 Al
`
`300
`
`COLLECT USER NAME AND/OR
`PASSWORD-
`
`305
`
`FIRST FACTOR OF AUTHENTICATION
`
`310
` IDENTIFY
`NO EXCEPTION |-315
`
`
`INFORMATION
`MATCH?
`
`
`YES
`
`
`
`PROCESS
`
`320
`
`COLLECT IDENTITY INFORMATION
`ABOUT USER MACHINE -
`
`SECOND FACTOR OF AUTHENTICATION
`325
`330
`
`COLLECT BIOMETRIC IDENTITY
`INFORMATION
`THIRD FACTOR OF AUTHENTICATION
`
`VERIFY IDENTITY INFORMATION
`WITH IDENTITY PROFILE
`PREVIOUSLY STORED IN THE
`AUTHENTICATION SERVER
`
`
`
`PROCESS
`
`
`335
`
` IDENTIFY
`NO EXCEPTION |-340
`INFORMATION
`
`MATCH?
`
`YES
`ALLOW ACCESS
`
`49
`
`FIG. 3
`
`APPLE EXHIBIT 1107
`Page 4 of 18
`
`APPLE EXHIBIT 1107
`Page 4 of 18
`
`

`

`Patent Application Publication May 22,2008 Sheet 4 of 9
`
`US 2008/0120195 Al
`
`400
`
`COLLECT USER NAME AND/OR
`PASSWORD-
`
`FIRST FACTOR OF AUTHENTICATION
`
`PROCESS
`410
`
` IDENTIFY
`NO EXCEPTION|,415
`INFORMATION
`MATCH?
`
`
`YES
`
`
`
`420
`
`425
`
`430
`
`COLLECTIDENTITY INFORMATION
`ABOUT USER MACHINE -
`SECOND FACTOR OF AUTHENTICATION
`
`COLLECT BIOMETRIC IDENTITY
`INFORMATION
`THIRD FACTOR OF AUTHENTICATION
`
`VERIFY IDENTITY INFORMATION
`WITH IDENTITY PROFILE
`PREVIOUSLY STOREDIN THE
`AUTHENTICATION SERVER
`
`435
`
`
`
` IDENTIFY
`INFORMATION
`
`MATCH?
`
`YES
`
`NO
`
`EXCEPTION[-
`
`PROCESS
`
`440
`
`445
`
`CONNECT TO USER FINANCIAL
`INSTITUTION SERVER
`
`TO FIG. 4B
`STEP 450
`
`FIG. 4A
`
`APPLE EXHIBIT 1107
`Page 5 of 18
`
`APPLE EXHIBIT 1107
`Page 5 of 18
`
`

`

`Patent Application Publication May 22,2008 Sheet 5 of 9
`
`US 2008/0120195 Al
`
`FROM FIG. 4A
`STEP 445
`
`oO40
`—
`
`450
`
`455
`
`460
`
`465
`
`470
`
`475
`
`480
`
`485
`
`490
`
`495
`
`498
`
`OBTAIN ACCOUNT INFORMATION FROM
`FINANCIAL INSTITUTION SERVER
`
`SELECT ACCOUNT FOR PAYMENT
`
`CREATE ONE-TIME USE PERSONAL ACCOUNT NUMBER
`
`ENTER ONE-TIME USE PERSONAL ACCOUNT
`NUMBER IN THE MERCHANT WEBPAGE
`
`SEND ONE-TIME USE PERSONAL ACCOUNT
`NUMBER TO PAYMENT PROCESSOR
`
`EXTRACT SERVER DATA FROM ONE-TIME
`USE PERSONAL ACCOUNT NUMBER
`
`SEND ONE-TIME USE PERSONAL ACCOUNT NUMBER AND
`TRANSACTION DETAILS TO THE AUTHENTICATION SERVER
`
`REPLACE ONE-TIME USE PERSONAL ACCOUNT NUMBER
`WITH USER REAL PERSONAL ACCOUNT NUMBER
`
`SEND REAL PERSONAL ACCOUNT NUMBER & TRANSACTIONDETAILS
`TO USER FINANCIAL INSTITUTION FOR AUTHORIZATION
`
`SEND AUTHORIZATION TO PAYMENT PROCESSOR
`
`SETTLEMENT IS MADE BETWEEN USERFINANCIAL INSTITUTION
`AND MERCHANTFINANCIAL INSTITUTION
`
`FIG. 4B
`
`APPLE EXHIBIT 1107
`Page 6 of 18
`
`APPLE EXHIBIT 1107
`Page 6 of 18
`
`

`

`Patent Application Publication
`
`May 22, 2008 Sheet 6 of 9
`
`US 2008/0120195 Al
`
`NOILNLILSNI
`
`Or!Oz008
`
` YsaAYas
`
`
`LNVHOYAN
`
`WISNVNIS
`
`
`
`ObLALINOAS
`
`SbL
`
`411d0u8d
`
`Yasn
`
`$511d0ud
`
`asvavivd
`
`SOL
`
`NOILVOILNSHLAV
`
`YsAdss
`
`NOILNLILSNI
`
`YSAYsS
`
`INAWAVd
`
`¥OSS300ud
`
`ANIINO
`
`LINVHOYAN
`
`APPLE EXHIBIT 1107
`Page 7 of 18
`
`APPLE EXHIBIT 1107
`Page 7 of 18
`
`
`
`
`
`

`

`Patent Application Publication
`
`May 22, 2008 Sheet 7 of 9
`
`US 2008/0120195 Al
`
`O19
`
`spun4
`
`JXONJOJ
`
`PION&
`
`jJaysawag
`
`
`
`Gc9
`
`9°Ol4
`
`[a|Ly|
`
`
`
`(seoeds10suaydAyou)
`
`
`
`UONBUOJUIPiedpa!AWeres[_]
`
`
`
`sapinaidAYqaundass,uOHN\ySU|je;oueUI4Busy)
`
`Angaspueeous|usAuodulsyewHINayy
`
`09juawiAedainoasnods9\Uy
`
`
`
`GLO‘0/34puomssed
`
`
`
`
`
`O0CO gM30IMQTYOMtooaGueyoey“d)©=vopoeys;dseGuyiqGuiddiyspnoyseyowooueyovaurainoesy:sdjy(N)[+](D))Q4>WOd"JUBYDJBU
`
`plessnoA“paiuapaqAewpiedyipesounod10yuawa}e}syIpaoINOAUOSsaippeay}YO}eWysNwWSsappeBuylig
`
`
`
`
`
`(eT)S82UE||sauicabundle9064
`
`
`SSOIpPYOUNIGHPA|SseuppyDulljigppy
`CsMnvedsno
`(T=)(TARA)ewauenig]|”AHOMIUMERY
`
`
`[_]seu
`
`[$]pegjueyuayy}add)preg
`
`piedypaigeymkeg
`JO4“JepioJadpasn8qAewpie6auoAUG
`==-etureu
`
`“BUOYYolopuedyi6snoXBuisnuosyejap
`
`
`‘sAepssaulsngg-¢ulsaneAjjensp)
`
`[|~EqUNNsszooy
`BJON10XOgWIE)©PpyEY
`
`UOWeWJOJU]JUaWABY
`pledWDBYYMAed
`
`UIYSSS8qd188e1}
`
`
`09°68$‘20udjun
`
`anigyr]-10}0¢)
`
`GrOveLAALS
`
`66-91'3ZIS
`
`Laveen_]pledWISYIMJepuoAluajepdr)
`
`Wa}]
`
`
`Ayewwing
`
`APPLE EXHIBIT 1107
`Page 8 of 18
`
`APPLE EXHIBIT 1107
`Page 8 of 18
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`May 22, 2008 Sheet 8 of 9
`
`US 2008/0120195 Al
`
`
`
`
`
`EButjjeggawoHysul4
`
`jAepo)416sayepeojumog<|
`
`édnBuraayy
`
`SJBMSUBOY}99)
`
`
`
`“Bupyaasal,n04
`
`Obl
`
`NOHWea)
`
`AVOOL
`
`
`
`Atyjuowsnofyoed|
`
`33M40Buipueds
`
`STAC)
`
`
`
`
`
`HLINSNHOFP-SLNNOOOVJATEVIIVAY
`
`
`
`
`
`
`yqeqO¢:anpjuswAedprr'zessourjeqzBunjsaygsjunosoeLI
`
`
`
`
`
`
`
`
`AVdaundesUON|YSUelQUeUIy-JUNOVBLOGre>‘onpjuswAed000'ZL$-eouejegBSHPSID
` O$:enpjuawiAed=ggg‘,f:aouR|Eq1Bupjoey9
`096$:onpjuawAedGS¢'e¢:aouejeq
`
`
`
`plegJajseyyUoINYYSU!FeloUeUL4-juNOVDe
`
`
`
`
`INAWAVd
`
`
`qed<junoooe
`
` A||eo|mo|JUBYIS+O)|@=uoyoessydseSuyjqhuiddiysy8
`
`
`
`
`
`
`puesyPaIINOAUOSsaippesy}YOJeU!JsnwusseuppeBurjigsnoA,
`
`
`
`(sapSugJoJaus091yB-JaddnSyoeq
`
`
`UoHeWUOU]predyarAWaves[__]
`
`
`GR]GLE]sows||"Satesaintpey
`rs
`‘pajuapaqAewpseoyipaiounoJoJuswa}eys
`
`[¢]pegweyey)adé]peg
`WWOo"}UBYOE|,OOO
`noyoayo/wWooyueyoiewaunoasiy:sdyy(N)(+)(2)Ky(<>)
`
`
`
`
`J04{‘JepiosadpasnaqAewpueoylauoAud
`
`[===>saunvneone
`“YOYYOIISpled16unodGuisnuositejap
`
`UOnNSUy
`feloueul
`
`
`
`
`
`puedjpgeyimAed
`
`
`
`WOHEUWWOJUJUaWAEY
`
`pledyOByyMheg
`
`
`
`‘shepssauisngg-GUlSaleAjensp)
`
`
`S}ON40XOgHIE)©PyBB
`
`
`
`05°6920dWun
`
`
`
`HRSS881qdISSe|9
`
`ang1461)J0}05
`
`
`G6-91-ZIS
`
`
`
`6yOPZLTIALS
`
`gMJQTHOM(1
`
`Zid
`
`
`
`SSalppyDUIwPS|
`
`SseJppyOulllgPY
`
`(seoeds10suaydAyou)
`
`“preanok
`
`plHIDYMJepioAWayepdn,
`
`[Laeodn_]
`
`[]JEUssacoy
`
`APPLE EXHIBIT 1107
`Page 9 of 18
`
`APPLE EXHIBIT 1107
`Page 9 of 18
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`May 22, 2008 Sheet 9 of 9
`
`US 2008/0120195 Al
`
`<1u0da3
`
`
`
`Sc9
`
`S08
`
`pledW919BUyIMAeg
`
` onianagsan|AYdT8AtofiayeoAqpays}LId343
`
`Sale33MynAnAyoe
`Bulpuadsmel,ya)
`
`sjunogoeINOK104
`4MOYWes]
`junoaoesoUOPYInok
`
`
`FaN4J0}ayvo
`AVGOL
`
`Gres:onpyuawAed
`8Ols
`:aourjeq
`
`
`
`
`
`
`
`
`HILINSNHOF-LNSIWNAVdONISSSDONd
`
`
`
`
`WPaIgAdeunoesuoHNISUIJBIOUeUIy-juNODDe000'21$
`ANS
`wyNOLLALILSNI
`
`Queyen“>)@®=voyoeys;dsebuyq6uiddiysp8
`
`Pleo1paJ0UNOAUOSsalppeay}YOJeWsnssaippeGuyjgsno,
`
`“pueoinok(efsane||suryfselthron
`
`SsalppyUIgWP|SseuppyOulligppy
`uoHeuuojulpueoyipaiaAwanes[ZA]
`
`
`
`
`
`(el)(#L}areuogeudxgSU}UoJaquinujiEip-¢y
`
`“paluapaqAewpuesjipaioJNAJoJuawa}E}s
`(saoedsJosuaydAyou)
`
`
`
`[¢]puegjueyoiey]adKypueg
`Aydainoag|uequinypeg
`WOd"JUEYIE)\OOO
`nowpayo/wiodjueysiewaunoesy/'sdyy(N}(+][2]@)[<>}
`
`
`
`104“J9pioJadpasnaqAewpiedyI6aucAjuQ
`ss900y>soep2099
`“184YOOpledyI6anoBuisnuosjayep
`PIEDUE)YIMJ8puoAwayepdr
`
`‘skepssaulsng9-GulsaneAjensn
`[]JOQUINN
`
`
`
`@3M30M01YOMto
`
`
`
`
`
`HIYgssaigorsse|Q
`
`
`
`0G°68$:80Ndwun
`
`
`€€-91'ZIS
`
`anigOr]J0}09
`
`
`
`6P9PZ)ATALS
`
`SJON40XOgHIS)&ppyBE
`
`
`
`
`UOLJeLUOJY]JUaWAE|
`
`pledWIeymkeg
`
`O18
`
`SL8
`
`Em
`
`APPLE EXHIBIT 1107
`Page 10 of 18
`
`APPLE EXHIBIT 1107
`Page 10 of 18
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`US 2008/0120195 Al
`
`May 22, 2008
`
`SYSTEMS AND METHODS FOR
`IDENTIFICATION AND AUTHENTICATION
`OF A USER
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`[0001]
`[0002] The present invention generally relates to computer
`security and more specifically to systems and methods for
`identifying and authenticating a user.
`[0003]
`2. Description of the Related Art
`[0004]
`Internet commerce hasincreased dramatically over
`the last several years. As a result, several different on-line
`payment methods have beencreated. In one payment method,
`the buyer simply types a credit card numberinto an on-line
`payment webpageto pay for the goods or services provided
`by an on-line merchant. In another payment method, the
`buyer uses an on-line paymentservice to pay for the goods or
`services provided by an on-line merchant. The on-line pay-
`mentservice allows the buyerto pay the on-line merchant via
`the Internet using funds that are available in a bank account or
`on a credit card. The on-line payment service holds the
`account information, not the on-line merchant, and therefore
`the on-line payment service may protect the buyer from
`unlawful use of the buyer’s account.
`[0005] Even though on-line paymentservices are effective
`in providing a more secure means of on-line payment
`between the buyer and the on-line merchant as compared to
`paying by a credit card numberor a personal check, on-line
`paymentservices typically require a single factor of authen-
`tication to verify that the buyer is actually the owner of the
`account. For example,
`the on-line payment service may
`require the buyer to input an email address and a password to
`make an on-line payment. However, the single factor of
`authentication, such as the email address and password, can
`be easily stolen by a computer hacker. This mayresult in the
`unlawful use ofthe buyer’s account, which is acommon form
`of identity theft.
`[0006]
`In addition to Internet commerce, many banks now
`offer on-line banking which allows customers to access their
`accounts via the Internet. On-line banking allows a customer
`to perform routine transactions, such as account transfers,
`balance inquiries, bill payments, and stop-payment requests
`from a remote computer. In addition, some banksallow their
`customers to apply for loans and credit cards on-line as well.
`Similar to on-line paymentservices, to access the account
`information or apply for a loan or a credit card on-line, a bank
`usually requires only one factor of authentication to verify
`that an on-line customeris actually the owner of the account.
`For example, the bank may require the customer to input a
`usernameand a password to access the account. Again, the
`single factor of authentication, such as the username and
`password, can be easily stolen by a computer hacker, which
`mayresult in the unlawful use of the customer’s account.
`[0007]
`Asthe foregoing illustrates, there is a need in theart
`for a way to verify the identities of on-line customersthatis
`more secure than current approaches.
`
`SUMMARYOF THE INVENTION
`
`[0008] The present invention generally relates to a com-
`puter security system for use in the identification and authen-
`tication ofa userprior to an on-line transaction. In one aspect,
`a methodfor facilitating a secure transaction over a network
`is provided. The method includes collecting a username and
`
`password associated with a user of the machine. The method
`further includes verifying that the username and password
`matchesa previously collected username and password in an
`identity profile. The method also includes collecting device
`data from a user machine to uniquely identify the machine.
`Additionally, the method includes verifying that the device
`data matches previously collected device data in the identity
`profile.
`In another aspect, a computer-readable medium
`[0009]
`including a set of instructions that when executed by a pro-
`cessor cause the processor to facilitate a secure transaction
`over a network is provided. The processor performsthe step
`collecting a username and passwordassociated with a user of
`the machine. The processor also performs the step of trans-
`mitting the username and password to a server machine in
`order to verify that the username and password matches a
`previously collected username and password in an identity
`profile. Further, the processor performsthe step of collecting
`device data from a user machine to uniquely identify the
`machine. Additionally, the processor performs the step of
`transmitting the device data to the server machinein order to
`verify that the device data matches a previously collected
`device data in the identity profile.
`[0010]
`In yet a further aspect, a system for facilitating a
`secure transaction is provided. The system includes a com-
`puting device having a processor and a memory, wherein the
`memory includes a security agent program configured to
`collect a username and passwordassociated with a user ofthe
`computing device and transmit the username and password.
`The security agent is also configured to collect device data
`from the computing device to uniquely identify the comput-
`ing device and transmit the device data. The system further
`includes a server machine that includes a user profiles data-
`base and configured to receive the username and password
`from the computing device and verify that the username and
`password matches previously collected username and pass-
`word in the identity profile stored in user profiles database.
`The server machineis further configured to receive the device
`data from the computing device andverify that the device data
`matchespreviously collected device data in an identity profile
`stored in user profiles database.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`So that the mannerin which the aboverecited fea-
`[0011]
`tures of the present invention can be understood in detail, a
`moreparticular description of the invention, briefly summa-
`rized above, may be had by reference to embodiments, some
`of which are illustrated in the appended drawings. It is to be
`noted, however, that the appended drawings illustrate only
`typical embodiments ofthis invention andare therefore not to
`be considered limiting of its scope, for the invention may
`admit to other equally effective embodiments.
`[0012]
`FIG. 1 is a conceptual block diagram of a system
`configured to identify and authenticate the identity of a user,
`according to one embodimentofthe invention.
`[0013]
`FIG. 2isa flow chart of methodsteps for enrolling a
`user in a security service, according to one embodimentofthe
`invention.
`
`FIG. 3 is a flow chart of method steps for securely
`[0014]
`accessing a user account, according to one embodimentofthe
`invention.
`
`FIGS. 4A and 4Barea flow chart ofmethodsteps for
`[0015]
`making a secured payment, according to one embodimentof
`the invention.
`
`APPLE EXHIBIT 1107
`Page 11 of 18
`
`APPLE EXHIBIT 1107
`Page 11 of 18
`
`

`

`US 2008/0120195 Al
`
`May 22, 2008
`
`FIG. 5 is a conceptual block diagram of a system
`[0016]
`through which a secured payment may be made, according to
`one embodimentofthe invention.
`illustrations depicting
`[0017]
`FIGS. 6-8 are conceptual
`how the security agent of FIG. 1 interacts with a merchant
`payment web page when a secured paymentis made, accord-
`ing to one embodimentofthe invention.
`
`DETAILED DESCRIPTION
`
`In general, the inventionrelates to a computer secu-
`[0018]
`rity system for use in the identification and authentication of
`a user prior to an on-line transaction. The system will be
`described herein in relation to a single user. However,
`it
`should be understoodthat the systems and methodsdescribed
`herein may be employed with any number of users without
`departing from the principles of the present invention. The
`description ofthe invention is separated into four sections: the
`architecture, the enrollment process, a secure access transac-
`tion, and a secure paymenttransaction. To better understand
`the novelty of the system of the present invention and the
`methods of use thereof, reference is hereafter made to the
`accompanying drawings.
`[0019] Architecture
`[0020]
`FIG. 1 is a conceptual block diagram of a system
`100 configured to identify and authenticate the identity of a
`user, according to one embodiment of the invention. The
`system 100 includes a user machine 105, which may be any
`type of individual computing device such as, for example, a
`desk-top computer, a lap-top computer, a hand-held phone
`device, or a personal digital assistant. Generally, the user
`machine 105 is configured to be a communication link
`between the user and the other components in the system 100.
`The user machine 105 includes a security agent 110. Gener-
`ally, the security agent 110 is a software entity that runs on the
`user machine 105. As described in further detail herein, the
`security agent 110, amongotherthings, is configured to cre-
`ate an identity profile 115 of a user and of user machine 105,
`collect certain data from the user machine 105 or manage
`secure access or secure payment transactions made from user
`machine 105. Additionally, the security agent 110 is designed
`to offer protection against phishing, pharming, Trojan pro-
`grams or worms.
`[0021] As also shown, the user machine 105 includes the
`profile 115, which represents the identity of the user. The
`profile 115 is unique for each user. As described in further
`detail herein, once the profile 115 has been created for the
`user, the identity of the user can be subsequently verified by a
`series of interactions between the security agent 110 and the
`authentication server 125 based on the profile 115. The profile
`115 includes data aboutthe user and the user machine 105 and
`can be used to establish a multifactor identification for the
`
`user wheneverthe user attempts to conduct transactions via
`the user machine 105. Thefirst factor of authentication is a
`
`username and/or password, which relates to “what the user
`knows.” The secondfactor of authentication is unique infor-
`mation about the user machine 105, whichrelatesto “what the
`user has.” The third factor of authentication is unique infor-
`mation about the user, such as biometric identity, which
`relates to “who the useris.”
`
`[0022] As will be discussed below in the enrollmentpro-
`cess, the username and/or password is created by the user
`after the identity of the user is established. The username
`and/or password are typically a combination of characters
`and numbers, which the user can easily remember. In one
`
`embodiment, the user machine 105 transmits the username
`and/or password in a cryptographically protected form, so
`access to the actual username and/or password will be diffi-
`cult for a snooper who gains internal access to the user
`machine 105.
`
`[0023] With respect to the secondfactor of authentication,
`the unique information about the user machine 105 is gener-
`ally a combination of select information associated with the
`user machine 105. The information maybestatic or dynamic.
`For instance, the information may include the International
`Mobile EquipmentIdentityTIMED), which is a number unique
`to every mobile phone, the International Mobile Subscriber
`Identity (MSI), which is a unique numberassociated with
`network mobile phone users, and/or the geolocation of the
`user machine 105, which is a real-world geographic location
`ofanetwork connected computer or mobile device. The infor-
`mation about
`the user machine 105 may also include
`machine-level attributes. For instance, the information may
`include various parameters available through a PCI configu-
`ration space,like the Device ID or the VendorID for different
`system devices, the data residing in the SMM memory space,
`or other memory hardwareattributes, such as memory type,
`memory clock speed, amount of memory, hard drive serial
`number, size of hard drive, maker of hard drive etc., and/or
`chipset information or graphics card information, which can
`be used to read hidden and/or unhidden registers within those
`subsystems. Further, the information may include data at
`different locations in firmware or BIOSorinformation avail-
`
`able in a Microcode patch or a checksum ofa portion of the
`firmware within the user machine 105.
`
`In addition to the foregoing, the information about
`[0024]
`the user machine 105 mayalso be system-levelattributes. For
`instance, the information may include a MAC address, hard
`drive serial number, hardware configuration information,
`such as interrupt routing, GPIO routing, PCI Device Select
`routing or a hardware configuration map, operating system
`registry, CPU type, CPU version or CPU clock speed. The
`information about the user machine 105 mayalso include
`system pattern extraction. For instance, the information may
`include a directory structure and/ora list of installed applica-
`tions, such as a word processoror other computertools.
`[0025] The third factor of authentication consists ofunique
`information aboutthe user, such as a biometric identity. The
`biometric data may include the specific typing pattern of the
`user since each user’s typing behavior is unique. Typically,
`typing authentication works by requesting that a user seeking
`access to a computer or a password-protectedfile just type a
`short passage into the computer so that the user’s typing
`pattern can be analyzed and matchedagainst a knownpattern.
`Additionally, the biometric data may also be generated by a
`biometric device, such as a fingerprint device or an iris pattern
`device, included within the user machine 105.
`[0026] The system 100 further includes a network 120,
`which may be any type of data network, such as a local area
`network (LAN), a metropolitan area network (MAN), a wide
`area network (WAN), or the Internet. The network 120 is
`configured to act as a communication pathway between the
`user machine 105, the authentication server 125, and an insti-
`tution server 140. The authentication server 125 stores a copy
`of the profile 115 generated during the enrollmentprocess in
`auserprofiles database 130. Additionally, the authentication
`server 125 interacts with the agent 110 via the network 120
`during the secure access transaction and the secure payment
`transaction, as described below. The institution server 140
`
`APPLE EXHIBIT 1107
`Page 12 of 18
`
`APPLE EXHIBIT 1107
`Page 12 of 18
`
`

`

`US 2008/0120195 Al
`
`May 22, 2008
`
`stores sensitive informationfor the usere.g. financial account
`information, confidential data, etc. The institution server 140
`maybe part of a bank, a building society, a credit union, a
`stock brokerage, or other businesses holding sensitive data.
`Generally, the institution server 140 interacts with the agent
`110 via the network 120 during the enrollment process, a
`secure access transaction or a secure paymenttransaction, as
`described below.
`
`[0027] Enrollment Process
`[0028]
`FIG. 2 is a flow chart of methodsteps for enrolling a
`user in a security service, according to one embodimentofthe
`invention. Although the method steps are described in the
`context of the system of FIG. 1, any system configured to
`perform the methodsteps, in any order, is within the scope of
`the invention. Generally, the enrollment process 200 is used to
`verify the identity of the user, establish multi-factors of
`authentication and bind the verified identity of the user to the
`multi-factors of authentication. As will be discussed herein,
`verifying the user identity during the enrollment process 200
`mayinclude having the user answerspecific personal ques-
`tions e.g. amount of last check deposited, date of last with-
`drawal, previous residential address, etc. The answers are
`then checked against a known answer from a data source,
`such as the institution and/or third party consumer data base
`to verify that the user is who the user claims to be. Some
`examples ofthe multi factors of authentication are—the iden-
`tification of the user, the identification of the machine, the
`biometric identity of the user, etc. It should be noted that the
`enrollment process is a one-time process for each user. After
`the enrollment process 200 is complete, the user is able to
`perform the secure access transaction 300 or the secure pay-
`ment transaction 400, described below, without having to
`repeat the enrollment steps. The process of verifying identity
`significantly reduces the chance ofa maliciousparty claiming
`to be the user. The process of binding the verified identity to
`the multi-factors of authentication eliminates the cumber-
`
`some process of proving the identity of the user at every
`transaction while providing the same level of security as
`though the user answered the identity questions, such as the
`specific personal questions each time.
`[0029] The enrollment process 200 begins in step 205,
`where the user accesses an enrollment webpage. In one
`embodiment, the enrollment webpage is generated by the
`institution server 140 and downloaded to the user machine
`
`105 when the user attempts to electronically access an
`account held with the institution. The enrollment webpageis
`configured to educate the user about the enrollment process
`and subsequently start the user identification process of step
`210.
`
`Instep 210, the user is asked specific personal ques-
`[0030]
`tions in which only the user knows the answerin order to
`generate a verified user identity. The questions mayrelate to
`dynamic data that frequently changes and is known only by
`the institution, such as “when was your last deposit,” “what
`wasthe last check number,”“who wasthe check written to” or
`“who last deposited moneyin thefinancialinstitution”, “what
`was yourlast take home pay amount.” The personal questions
`mayrelate to static data that does not change, such as “what
`car did you drive before yourcurrent car,’ “what is your social
`security number, date of birth, mother’s maiden name” or
`“what address did you live at before your current address.” In
`step 215, the answers given bythe user is compared to known
`answersina data source, such as dataat the institution or data
`held at third party data bases, to verify the identity ofthe user.
`
`If the answers do not match the known answers in the data
`source, then, in step 220, an exception process is activated.
`The exception process may includea verification of the user
`over the phone. Additionally, the exception process may
`include the user making a personal appearanceat a specific
`location. The exception process in step 220 may be any type
`of process knownin theart to verify the identity of the user.
`[0031]
`Instep 225, the security agent 110 is downloaded to
`the user machine 105 after the identity of the user is estab-
`lished. In one embodiment, the security agent 110 is down-
`loadeddirectly from the institution server 140 via the network
`120. In another embodiment, the security agent 110 1s down-
`loaded via the network 120 from the authentication server
`125. In any case, the security agent 110 is configured to
`interact with both the authentication server 125 andthe insti-
`tution server 140.
`
`Instep 230, a user name and passwordis selected to
`[0032]
`establish the first factor of authentication. In one embodi-
`ment, the user selects the user name and password.In another
`embodiment, the authentication server 125 or the institution
`sever 140 generates the user name and/or the password.In any
`case, the user name and/or password are used during the
`secure access transaction 300 and the secure paymenttrans-
`action 400, described below.
`[0033]
`In step 235, unique information from the user
`machine 105 is extracted by the security agent 110 to estab-
`lish the secondfactor of authentication. As set forth above, the
`information may include any number ofdifferent types of
`data associated with the user machine 105. Again, the infor-
`mation may include the IMEI or the IMSI whichrelate to
`mobile devices. The information may includethe geolocation
`of the user machine 105. The information may also include
`machine level attributes, such as a Device ID, a VendorID,
`data ata SMM memory space, a memory type, a memory
`clock, hard drive serial number, chipset information, data at
`different locations in firmware, or information available in
`Microcode patch, a checksum offirmware, or BIOS. Further,
`the information mayinclude system level attributes, such as a
`MACaddress, a hard drive serial number, interrupt routing,
`GPIO routing, PCI DevSel routing, a map of hardware con-
`figuration, or an operating system registry. Additionally, the
`information mayrelate to system pattern extraction, such as a
`directory structureora list of installed applications. No mat-
`ter whattypeof select data is extracted from the user machine
`105, the data or a combination of different types of data
`should be unique to the user machine 105in order to establish
`the second factor of authentication.
`
`Instep 240, the biometric information is collected in
`[0034]
`order to establish the third factor of identity. As set forth
`herein, the biometric data may include specific typing pat-
`terns of the user or biometric data generated by a biometric
`device, such as a fingerprint device oraniris pattern device.
`Althougheach factor of authentication was discussed in steps
`230, 235 and 240, it should be understood, however, that any
`of the factors may be an optional factor of authentication in
`the enrollmentprocess 200 without departing from principles
`of the present invention.
`[0035]
`In step 245, the verified user identity from step 215
`is connected (or bound) to the the user identity profile 115
`which generally comprises the data collected in steps 230-
`240. The connecting (or binding)ofthe verified user identity
`to the factors of authenication allowsthe user to engage in the
`secure access transaction 300 or the secure paymenttransac-
`tion 400 without having to repeat the enrollment steps. In
`
`APPLE EXHIBIT 1107
`Page 13 of 18
`
`APPLE EXHIBIT 1107
`Page 13 of 18
`
`

`

`US 2008/0120195 Al
`
`May 22, 2008
`
`other words, the binding of the identity with the factors of
`authenication eliminates the cumbersomeprocessof proving
`the identity of the user at every transaction while providing
`the same level of security as though the user answered the
`identity questions (the specific personal questions) every
`time.
`
`Instep 250, a copy ofthe profile 115 is stored in the
`[0036]
`user profiles database 130 in the authentication server 125.
`During the secure access transaction 300 and the secure pay-
`menttransaction 400, the security agent 110 interacts with the
`authentication server 125 by comparing the data from the user
`and the user machine with the user profile 115 stored in the
`user profiles database 130 to establish the identity of the user
`before proceeding with the transaction.It should be noted that
`in one embodimentthe user is able to use the secure access
`transaction 300 and the secure paymenttransaction 400 with-
`out providing any sensitive personaldata, such as acredit card
`number, a debit card number,etc. In another embodiment, the
`user interacts directly with an institution to verify the identity
`of the user. Then the institution issues a one-time credential,
`such as an account nu