`(12) Patent Application Publication (10) Pub. No.: US 2008/0120195 A1
`
`
` Shakkarwar (43) Pub. Date: May 22, 2008
`
`US 20080120195A1
`
`(54) SYSTEMS AND METHODS FOR
`IDENTIFICATION AND AUTHENTICATION
`
`(52) US. C1. .................................. 705/26; 705/1; 705/35
`
`OF A USER
`
`(57)
`
`ABSTRACT
`
`(76)
`
`Inventor:
`
`Rajesh G. Shakkarwar, Cupertino,
`CA (US)
`
`Correspondence Address:
`PATTERSON & SHERIDAN, L.L.P.
`3040 POST OAK BOULEVARD, SUITE 1500
`HOUSTON, TX 77056
`
`(21) Appl. No.:
`
`11/562,353
`
`(22)
`
`Filed:
`
`Nov. 21, 2006
`
`Publication Classification
`
`(51)
`
`Int. C1.
`G06Q 20/00
`G06Q 30/00
`
`(2006.01)
`(2006.01)
`
`M
`
`The present invention generally relates to a computer security
`system for use in the identification and authentication of a
`user prior to an on-line transaction. In one aspect, a method
`for facilitating a secure transaction over a network is pro-
`vided. The method includes collecting a usemame and pass-
`word associated with a user of the machine. The method
`
`further includes verifying that the usemame and password
`matches a previously collected username and password in an
`identity profile. The method also includes collecting device
`data from a user machine to uniquely identify the machine.
`Additionally, the method includes verifying that the device
`data matches previously collected device data in the identity
`profile.
`In another aspect, a computer-readable medium
`including a set of instructions that when executed by a pro-
`cessor cause the processor to facilitate a secure transaction
`over a network is provided. In yet a further aspect, a system
`for facilitating a secure transaction is provided.
`
`USER ACCESSES AN ENROLLMENT WEBPAGE
`
`r 205
`
`ASK USER SPECIFIC PERSONAL QUESTIONS
`
`r 210
`
`
`
`220
`
`EXCEPTION
`PROCESS
`
`
`
`
`
`
`(230
`
`
`[[235
`
`
`
`OBTAIN BIOMETRIC INFORMATION FROM USER -
`[240
`THIRD FACTOR OF AUTHENTICATION
`
`BIND USER IDENTITY WITH THE USER
`
`IDENTITY PROFILE
`
`EXTRACT UNIQUE INFORMATION FROM THE
`MACHINE - SECOND FACTOR OF AUTHENTICATION
`
`
`
`
`STORE IDENTITY PROFILE IN THE
`AUTHENTICATION SERVER
`
`
`
`
`245
`
`250
`
`APPLE EXHIBIT 1107
`
`Page 1 of 18
`
`
`IDENTITY
`
`
`INFORMATION
`MATCH?
`
`
` 225
`
`
`
`
`DOWNLOAD AGENT TO USER MACHINE
`
`
`SELECT USER NAME & PASSWORD -
`FIRST FACTOR OF AUTHENTICATION
`
`APPLE EXHIBIT 1107
`Page 1 of 18
`
`
`
`Patent Application Publication May 22, 2008 Sheet 1 0f 9
`
`US 2008/0120195 A1
`
` 140
`
`z
`
`INSTITUTION
`
`
`a
`‘—
`
`100
`
`
`Q
`I3:0:
`(DI-U
`oLu
`mm
`_
`DC_|<
`|—>
`Lu—m
`205
`c0”-<
`LIJI'I-I
`DOI—
`I a)
`01<
`I—
`9-D
`D
`<3:
`
`
`
`o
`00
`\-
`
`
`SECURITY
`AGENT
`
`
`LO
`0‘_
`
`APPLE EXHIBIT 1107
`
`Page 2 of 18
`
`APPLE EXHIBIT 1107
`Page 2 of 18
`
`
`
`Patent Application Publication May 22, 2008 Sheet 2 0f 9
`
`US 2008/0120195 A1
`
`&
`
`USER ACCESSES AN ENROLLMENT WEBPAGE
`
`205
`
`ASK USER SPECIFIC PERSONAL QUESTIONS
`
`210
`
`
`215
`
`IDENTITY
`INFORMATION
`
`
`
`MATCH?
`
`
`
`YES
`
`NO
`
`220
`
`EXCEPTION
`PROCESS
`
`DOWNLOAD AGENT TO USER MACHINE
`
`225
`
`SELECT USER NAME & PASSWORD -
`
`230
`
`FIRST FACTOR OF AUTHENTICATION
`
`EXTRACT UNIQUE INFORMATION FROM THE
`
`235
`
`MACHINE - SECOND FACTOR OF AUTHENTICATION
`
`OBTAIN BIOMETRIC INFORMATION FROM USER -
`
`240
`
`THIRD FACTOR OF AUTHENTICATION
`
`BIND USER IDENTITY WITH THE USER
`
`245
`
`IDENTITY PROFILE
`
`STORE IDENTITY PROFILE IN THE
`
`250
`
`AUTHENTICATION SERVER
`
`FIG. 2
`
`APPLE EXHIBIT 1107
`
`Page 3 0f 18
`
`APPLE EXHIBIT 1107
`Page 3 of 18
`
`
`
`Patent Application Publication May 22, 2008 Sheet 3 0f 9
`
`US 2008/0120195 A1
`
`M
`
`305
`
`EXCEPTION
`
`PROCESS
`
`315
`
`COLLECT USER NAME AND/OR
`PASSWORD -
`
`FIRST FACTOR OF AUTHENTICATION
`
` IDENTIFY
`INFORMATION
`
`
`MATCH?
`
`
`YES
`
`310
`
`N0
`
`320
`
`COLLECT IDENTITY INFORMATION
`ABOUT USER MACHINE -
`
`SECOND FACTOR OF AUTHENTICATION
`325
`330
`
`COLLECT BIOMETRIC IDENTITY
`INFORMATION
`THIRD FACTOR OF AUTHENTICATION
`
`VERIFY IDENTITY INFORMATION
`WITH IDENTITY PROFILE
`PREVIOUSLY STORED IN THE
`AUTHENTICATION SERVER
`
`335
`
`
` IDENTIFY
`
`INFORMATION
`MATCH?
`
`
`YES
`
`N0
`
`EXCEPTION
`
`PROCESS
`
`34o
`
`345
`
`ALLOW ACCESS
`
`FIG. 3
`
`APPLE EXHIBIT 1107
`
`Page 4 of 18
`
`APPLE EXHIBIT 1107
`Page 4 of 18
`
`
`
`Patent Application Publication May 22, 2008 Sheet 4 0f 9
`
`US 2008/0120195 A1
`
`fl
`
`COLLECT USER NAME AND/OR
`PASSWORD -
`
`FIRST FACTOR OF AUTHENTICATION
`
`405
`
`410
`
`
` IDENTIFY
`
`INFORMATION
`MATCH?
`
`
`YES
`
`NO
`
`EXCEPTION
`
`PROCESS
`
`415
`
`420
`
`425\
`
`430
`
`COLLECT IDENTITY INFORMATION
`ABOUT USER MACHINE -
`SECOND FACTOR OF AUTHENTICATION
`
`COLLECT BIOMETRIC IDENTITY
`INFORMATION
`THIRD FACTOR OF AUTHENTICATION
`
`VERIFY IDENTITY INFORMATION
`WITH IDENTITY PROFILE
`PREVIOUSLY STORED IN THE
`AUTHENTICATION SERVER
`
`435
`
`
` IDENTIFY
`
`INFORMATION
`MATCH?
`
`
`YES
`
`N0
`
`EXCEPTION
`
`PROCESS
`
`44o
`
`445
`
`CONNECT TO USER FINANCIAL
`INSTITUTION SERVER
`
`TO FIG. 4B
`STEP 450
`
`FIG. 4A
`
`APPLE EXHIBIT 1107
`
`Page 5 0f 18
`
`APPLE EXHIBIT 1107
`Page 5 of 18
`
`
`
`Patent Application Publication May 22, 2008 Sheet 5 0f 9
`
`US 2008/0120195 A1
`
`FROM FIG. 4A
`STEP 445
`
`400
`—
`
`450
`
`455
`
`460
`
`465
`
`470
`
`475
`
`480
`
`485
`
`490
`
`495
`
`498
`
`OBTAIN ACCOUNT INFORMATION FROM
`FINANCIAL INSTITUTION SERVER
`
`SELECT ACCOUNT FOR PAYMENT
`
`CREATE ONE-TIME USE PERSONAL ACCOUNT NUMBER
`
`ENTER ONE-TIME USE PERSONAL ACCOUNT
`NUMBER IN THE MERCHANT WEBPAGE
`
`SEND ONE-TIME USE PERSONAL ACCOUNT
`NUMBER TO PAYMENT PROCESSOR
`
`EXTRACT SERVER DATA FROM ONE-TIME
`USE PERSONAL ACCOUNT NUMBER
`
`SEND ONE-TIME USE PERSONAL ACCOUNT NUMBER AND
`TRANSACTION DETAILS TO THE AUTHENTICATION SERVER
`
`REPLACE ONE-TIME USE PERSONAL ACCOUNT NUMBER
`WITH USER REAL PERSONAL ACCOUNT NUMBER
`
`SEND REAL PERSONAL ACCOUNT NUMBER & TRANSACTION DETAILS
`TO USER FINANCIAL INSTITUTION FOR AUTHORIZATION
`
`SEND AUTHORIZATION TO PAYMENT PROCESSOR
`
`SETTLEMENT IS MADE BETWEEN USER FINANCIAL INSTITUTION
`AND MERCHANT FINANCIAL INSTITUTION
`
`FIG. 4B
`
`APPLE EXHIBIT 1107
`
`Page 6 0f 18
`
`APPLE EXHIBIT 1107
`Page 6 of 18
`
`
`
`Patent Application Publication
`
`May 22, 2008 Sheet 6 0f 9
`
`US 2008/0120195 A1
`
`zO_._.3._._._.m2_
`
`9;8mmolm
`._.Z<Iomm_s_ Mm>mmw
`
`
`._<_OZ<ZE
`
`o:
`
`9%
`
`mow
`
`>._._m50m_m
`
`._.Zm_o<
`
`m_.__u_Omn_
`
`zo_._.<o_._.2m=._.5<
`
`mm>mmw
`
`mum:
`
`mijOwE
`
`mm<m<._.<n_
`
`
`
`ZO_._.D._._._.mZ_
`
`mm>mww
`
`._.Zm__>_><n_
`
`mowwm—oomm
`
`mz_._zo
`
`._.z<Iomm=>_
`
`APPLE EXHIBIT 1107
`
`Page 7 0f18
`
`APPLE EXHIBIT 1107
`Page 7 of 18
`
`
`
`
`
`
`
`
`
`Patent Application Publication
`
`00
`
`eh
`
`US 2008/0120195 A1
`
`
`
`
`
`$235in2839:25:35Ragga9%:
`
`328%Em8cmEm>c85395::2:
`
`
`
`@8QOs22%;0505HHHHUEEE
`
`LO
`
`9u
`
`.
`
`_lfl
`
`
`
`EEnEa%2Em£525:
`
`
`m=____mS558EmEmF:.xomn|...5:;DH—mmeug
`
`
`
`
`
`
`
`
`SEES:ES#85>5gemDmama—Z=____mw_um_$223:____m22
`
`ES:3559>:0$2289::29:BE$22595550>
`.355an>mE28E5550>5EmEBEm
`
`E28:5:55%E9%:
`
`APPLE EXHIBIT 1107
`
`Page 8 0f18
`
`flHHHUgéEg
`
`D28532$82
`
`m5new;9026memEwing
`
`
`
`2:82.8£9235m50m52%Wmug”.
`
`23%50>85m.532Imo.w>%$3533c_32%>__§m:
`
`W58$53E3:552A32.53Emcaw22>39.
`snun-IIIIIIIIIIIII-
`
`
`
`
`
`
`flcozmefisEmE>$
`
`
`
`
`
`.22is28En50>ES825%ma28.2222).a:28E.520an8%8>mEESEmSo>_=oM28:86a£5>mn_28gom5:5>mn_
`
`Zm§><a
`
`_m_ocm:_n_
`
`8:255
`
`
`
`
`
`LgI%%5orrAA>$355smogana0"cofigmmawqm5___nmcaa$538550ngan.ezumm\>m%;23g@@mmmGE8E229:OO0
`
`
`
`comma”8EE5
`
`252%58
`mm.m:mum
`
`33$Um_._>._.w
`
`
`
`
`APPLE EXHIBIT 1107
`Page 8 of 18
`
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication
`
`May 22, 2008 Sheet 8 0f 9
`
`US 2008/0120195 A1
`
`o:
`
`
`
`A25:E84
`
`><DOF
`
`
`
`ESEso»xumc.
`
`meE52QO
`
`
`
`.omszmm$552:
`
`2:acts:
`
`3mg.Em8:a32:25?
`
`euicmn:—“ma
`
`.msxumm2.2;
`
`
`
`
`
`
`
`
`
`
`
`3:3sz
`_m_ocm:_n_
`
`
`
`
`
`em“2355?.$3“;”8:22F928:0=an“Ezooom
`
`
`
`
`om”osgcaE‘Ama31%“8.5.2N92853mmuczooom_H_|_
`
`
`
`
`
`
`
`
`
`
`
`I._.__>_wZIOfi-wFZDOOO<m_._m_<n=<><
`
`
`
`
`
`._.Zm__>_><n_
`
`
`
`LIEE
`
`mmo
`
`C
`
`
`Ewe—822>00"859623acasmcagfib
`3302258255359383582a.Ia@QE8.Em:€o§OOO
`
`
`
`
`
`
`
`cox—gas_m_ucm:_n_uczooomb,mvma”wzuEwE>macoed;“8:32VA:qu><m28wm
`
`
`
`
`
`
`
`3892mm::22:sz_m_ocm:_n_“Esouom
`
`
`
`
`
`
`coma”waggingmmmdm“8:58
`
`
`
`683mamega:05H.355a95E205:33.98
`a;$20.33w:8E:28=5952:0
`Dugegz382HHaggai.
`.22is28Em5:9%::0£33.
`
`
`
` .9852H$236.3?635829§§g§EE2.2.9....2:52.:
`
`N.OE
`
`
`
`8:38528:85E23Dwmeuu<
`
`:____m=3_
`
`mums?:____m22.
`
`
`
`98E555...;so$2252:camefisE$953mass.59
`.umEmuBE:E8=qu5%aEmEeflm
`
`E28£05:55E0>5063:
`
`APPLE EXHIBIT 1107
`
`Page 9 0f18
`
`E5:35m53>>9”.
`
`
`
`283a5:.E:ofiEoE.“SEE
`
`.25$2533,E32%2:33
`
` 2028xom:5mugfi
`
`mm.2gm35E:58
`
`3%95
`
`mm;we;Bags8
`
`
`8%“SEE:5£5238
`
`APPLE EXHIBIT 1107
`Page 9 of 18
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Patent Application Publication
`
`May 22, 2008 Sheet 9 0f 9
`
`US 2008/0120195 A1
`
`3:38853.2
`9.5%.:22>xmwfim
`
`
`
`beam—8385m:9sz
`
`mum”..235
`
`
`
`
`
`
`
`
`
`
`I._.__>_wZIOw.._.2w_>_><n_02_www001n_
`
`
`
`
`
`:85><a98¢m85%;35:25€588
`
`
`
`
`
`
`
`
`
`meg6:35ngSofia”8:28
`
`
`
`
`
`Hzm2><a
`
`83%;.
`
`_m_ocm:_n_ mm;we;
`
`mmw
`
`C
`
`Ea"cozogmwamqm:___3m:_&_fi=
`238558.Emzamaéaméwqfi8aaQ@EooucmchEOOO
`
`
`
`damnmmmsms3=_32%23:5
`
` 2oz8xomgoaEzfl
`
`0%Eu::8
`38$”Him8.2mum
`
`35$5238
`
`8%“85=5
`
`SmogGU
`
`A:5me
`
`ozazmmmEmfiflm
`
`2.5amay:5:,E38n“1252.2;EH.
`
`E380550>Hoar—OEDmEDOww
`
`
`><QOFmom\\\///
`
` /\n28E222225.25a;.520:58w:85:28Em252:0/\28:85m5;E28Ew5:,EAso:
`
`:53/zo_SEmz_\8:252Email
`
`m5
`
`ovw
`
`$830.a22%;05
`
`
`
`><m2=8m”.2532ES
`
`.98:5»fl$2223:5s558Egg:gsa-EU288%:qu2:85&5:
`:93<
`
`D285:2$82
`
`flHHHUgEEg
`
`.22is28:55%9%:Sm__m.%
`
`w.9“.
`
`
`
`
`
`cofieégES:85EmamIwmeuu<:____m%m__mweugC____muu<
`
`
`ES:3550>:0$9259:EEE«was.322%.95.350>
`
`.uoEmu3>9:E8:8359:0EmEBEw
`
`28go5;E5E33%
`
`man
`
`APPLE EXHIBIT 1107
`
`Page 10 0f18
`
`APPLE EXHIBIT 1107
`Page 10 of 18
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`US 2008/0120195 A1
`
`May 22, 2008
`
`SYSTEMS AND METHODS FOR
`IDENTIFICATION AND AUTHENTICATION
`OF A USER
`
`BACKGROUND OF THE INVENTION
`
`1. Field of the Invention
`[0001]
`[0002] The present invention generally relates to computer
`security and more specifically to systems and methods for
`identifying and authenticating a user.
`[0003]
`2. Description of the Related Art
`[0004]
`Internet commerce has increased dramatically over
`the last several years. As a result, several different on-line
`payment methods have been created. In one payment method,
`the buyer simply types a credit card number into an on-line
`payment webpage to pay for the goods or services provided
`by an on-line merchant. In another payment method, the
`buyer uses an on-line payment service to pay for the goods or
`services provided by an on-line merchant. The on-line pay-
`ment service allows the buyer to pay the on-line merchant via
`the Internet using funds that are available in a bank account or
`on a credit card. The on-line payment service holds the
`account information, not the on-line merchant, and therefore
`the on-line payment service may protect the buyer from
`unlawful use of the buyer’s account.
`[0005] Even though on-line payment services are effective
`in providing a more secure means of on-line payment
`between the buyer and the on-line merchant as compared to
`paying by a credit card number or a personal check, on-line
`payment services typically require a single factor of authen-
`tication to verify that the buyer is actually the owner of the
`account. For example,
`the on-line payment service may
`require the buyer to input an email address and a password to
`make an on-line payment. However, the single factor of
`authentication, such as the email address and password, can
`be easily stolen by a computer hacker. This may result in the
`unlawful use ofthe buyer’s account, which is a common form
`of identity theft.
`[0006]
`In addition to Internet commerce, many banks now
`offer on-line banking which allows customers to access their
`accounts via the Internet. On-line banking allows a customer
`to perform routine transactions, such as account transfers,
`balance inquiries, bill payments, and stop-payment requests
`from a remote computer. In addition, some banks allow their
`customers to apply for loans and credit cards on-line as well.
`Similar to on-line payment services, to access the account
`information or apply for a loan or a credit card on-line, a bank
`usually requires only one factor of authentication to verify
`that an on-line customer is actually the owner of the account.
`For example, the bank may require the customer to input a
`usemame and a password to access the account. Again, the
`single factor of authentication, such as the usemame and
`password, can be easily stolen by a computer hacker, which
`may result in the unlawful use of the customer’s account.
`[0007] As the foregoing illustrates, there is a need in the art
`for a way to verify the identities of on-line customers that is
`more secure than current approaches.
`
`SUMMARY OF THE INVENTION
`
`[0008] The present invention generally relates to a com-
`puter security system for use in the identification and authen-
`tication ofa user prior to an on-line transaction. In one aspect,
`a method for facilitating a secure transaction over a network
`is provided. The method includes collecting a username and
`
`password associated with a user of the machine. The method
`further includes verifying that the usemame and password
`matches a previously collected username and password in an
`identity profile. The method also includes collecting device
`data from a user machine to uniquely identify the machine.
`Additionally, the method includes verifying that the device
`data matches previously collected device data in the identity
`profile.
`In another aspect, a computer-readable medium
`[0009]
`including a set of instructions that when executed by a pro-
`cessor cause the processor to facilitate a secure transaction
`over a network is provided. The processor performs the step
`collecting a usemame and password associated with a user of
`the machine. The processor also performs the step of trans-
`mitting the usemame and password to a server machine in
`order to verify that the username and password matches a
`previously collected username and password in an identity
`profile. Further, the processor performs the step of collecting
`device data from a user machine to uniquely identify the
`machine. Additionally, the processor performs the step of
`transmitting the device data to the server machine in order to
`verify that the device data matches a previously collected
`device data in the identity profile.
`[0010]
`In yet a further aspect, a system for facilitating a
`secure transaction is provided. The system includes a com-
`puting device having a processor and a memory, wherein the
`memory includes a security agent program configured to
`collect a usemame and password associated with a user ofthe
`computing device and transmit the usemame and password.
`The security agent is also configured to collect device data
`from the computing device to uniquely identify the comput-
`ing device and transmit the device data. The system further
`includes a server machine that includes a user profiles data-
`base and configured to receive the username and password
`from the computing device and verify that the usemame and
`password matches previously collected usemame and pass-
`word in the identity profile stored in user profiles database.
`The server machine is further configured to receive the device
`data from the computing device and verify that the device data
`matches previously collected device data in an identity profile
`stored in user profiles database.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`So that the manner in which the above recited fea-
`[0011]
`tures of the present invention can be understood in detail, a
`more particular description of the invention, briefly summa-
`rized above, may be had by reference to embodiments, some
`of which are illustrated in the appended drawings. It is to be
`noted, however, that the appended drawings illustrate only
`typical embodiments ofthis invention and are therefore not to
`be considered limiting of its scope, for the invention may
`admit to other equally effective embodiments.
`[0012]
`FIG. 1 is a conceptual block diagram of a system
`configured to identify and authenticate the identity of a user,
`according to one embodiment of the invention.
`[0013]
`FIG. 2 is a flow chart ofmethod steps for enrolling a
`user in a security service, according to one embodiment ofthe
`invention.
`
`FIG. 3 is a flow chart of method steps for securely
`[0014]
`accessing a user account, according to one embodiment ofthe
`invention.
`
`FIGS. 4A and 4B are a flow chart ofmethod steps for
`[0015]
`making a secured payment, according to one embodiment of
`the invention.
`
`APPLE EXHIBIT 1107
`
`Page 11 of 18
`
`APPLE EXHIBIT 1107
`Page 11 of 18
`
`
`
`US 2008/0120195 A1
`
`May 22, 2008
`
`FIG. 5 is a conceptual block diagram of a system
`[0016]
`through which a secured payment may be made, according to
`one embodiment of the invention.
`
`illustrations depicting
`FIGS. 6-8 are conceptual
`[0017]
`how the security agent of FIG. 1 interacts with a merchant
`payment web page when a secured payment is made, accord-
`ing to one embodiment of the invention.
`
`DETAILED DESCRIPTION
`
`In general, the invention relates to a computer secu-
`[0018]
`rity system for use in the identification and authentication of
`a user prior to an on-line transaction. The system will be
`described herein in relation to a single user. However,
`it
`should be understood that the systems and methods described
`herein may be employed with any number of users without
`departing from the principles of the present invention. The
`description ofthe invention is separated into four sections: the
`architecture, the enrollment process, a secure access transac-
`tion, and a secure payment transaction. To better understand
`the novelty of the system of the present invention and the
`methods of use thereof, reference is hereafter made to the
`accompanying drawings.
`[0019] Architecture
`[0020]
`FIG. 1 is a conceptual block diagram of a system
`100 configured to identify and authenticate the identity of a
`user, according to one embodiment of the invention. The
`system 100 includes a user machine 105, which may be any
`type of individual computing device such as, for example, a
`desk-top computer, a lap-top computer, a hand-held phone
`device, or a personal digital assistant. Generally, the user
`machine 105 is configured to be a communication link
`between the user and the other components in the system 100.
`The user machine 105 includes a security agent 110. Gener-
`ally, the security agent 110 is a software entity that runs on the
`user machine 105. As described in further detail herein, the
`security agent 110, among other things, is configured to cre-
`ate an identity profile 115 of a user and of user machine 105,
`collect certain data from the user machine 105 or manage
`secure access or secure payment transactions made from user
`machine 105.Additionally, the security agent 110 is designed
`to offer protection against phishing, pharming, Trojan pro-
`grams or worms.
`[0021] As also shown, the user machine 105 includes the
`profile 115, which represents the identity of the user. The
`profile 115 is unique for each user. As described in further
`detail herein, once the profile 115 has been created for the
`user, the identity of the user can be subsequently verified by a
`series of interactions between the security agent 110 and the
`authentication server 125 based on the profile 115. The profile
`115 includes data about the user and the user machine 105 and
`can be used to establish a multifactor identification for the
`
`user whenever the user attempts to conduct transactions via
`the user machine 105. The first factor of authentication is a
`
`usemame and/or password, which relates to “what the user
`knows.” The second factor of authentication is unique infor-
`mation about the user machine 105, which relates to “what the
`user has.” The third factor of authentication is unique infor-
`mation about the user, such as biometric identity, which
`relates to “who the user is.”
`
`[0022] As will be discussed below in the enrollment pro-
`cess, the usemame and/or password is created by the user
`after the identity of the user is established. The usemame
`and/or password are typically a combination of characters
`and numbers, which the user can easily remember. In one
`
`embodiment, the user machine 105 transmits the usemame
`and/or password in a cryptographically protected form, so
`access to the actual username and/or password will be diffi-
`cult for a snooper who gains internal access to the user
`machine 105.
`
`[0023] With respect to the second factor of authentication,
`the unique information about the user machine 105 is gener-
`ally a combination of select information associated with the
`user machine 105. The information may be static or dynamic.
`For instance, the information may include the International
`Mobile Equipment Identity (IMEI), which is a number unique
`to every mobile phone, the International Mobile Subscriber
`Identity (IMSI), which is a unique number associated with
`network mobile phone users, and/or the geolocation of the
`user machine 105, which is a real-world geographic location
`ofa network connected computer or mobile device. The infor-
`mation about
`the user machine 105 may also include
`machine-level attributes. For instance, the information may
`include various parameters available through a PCI configu-
`ration space, like the Device ID or the Vendor ID for different
`system devices, the data residing in the SMM memory space,
`or other memory hardware attributes, such as memory type,
`memory clock speed, amount of memory, hard drive serial
`number, size of hard drive, maker of hard drive etc., and/or
`chipset information or graphics card information, which can
`be used to read hidden and/or unhidden registers within those
`subsystems. Further, the information may include data at
`different locations in firmware or BIOS or information avail-
`
`able in a Microcode patch or a checksum of a portion of the
`firmware within the user machine 105.
`
`In addition to the foregoing, the information about
`[0024]
`the user machine 105 may also be system-level attributes. For
`instance, the information may include a MAC address, hard
`drive serial number, hardware configuration information,
`such as interrupt routing, GPIO routing, PCI Device Select
`routing or a hardware configuration map, operating system
`registry, CPU type, CPU version or CPU clock speed. The
`information about the user machine 105 may also include
`system pattern extraction. For instance, the information may
`include a directory structure and/or a list of installed applica-
`tions, such as a word processor or other computer tools.
`[0025] The third factor of authentication consists ofunique
`information about the user, such as a biometric identity. The
`biometric data may include the specific typing pattern of the
`user since each user’s typing behavior is unique. Typically,
`typing authentication works by requesting that a user seeking
`access to a computer or a password-protected file just type a
`short passage into the computer so that the user’s typing
`pattern can be analyzed and matched against a known pattern.
`Additionally, the biometric data may also be generated by a
`biometric device, such as a fingerprint device or an iris pattern
`device, included within the user machine 105.
`[0026] The system 100 further includes a network 120,
`which may be any type of data network, such as a local area
`network (LAN), a metropolitan area network (MAN), a wide
`area network (WAN), or the Internet. The network 120 is
`configured to act as a communication pathway between the
`user machine 105, the authentication server 125, and an insti-
`tution server 140. The authentication server 125 stores a copy
`of the profile 115 generated during the enrollment process in
`a user profiles database 130. Additionally, the authentication
`server 125 interacts with the agent 110 via the network 120
`during the secure access transaction and the secure payment
`transaction, as described below. The institution server 140
`
`APPLE EXHIBIT 1107
`
`Page 12 of 18
`
`APPLE EXHIBIT 1107
`Page 12 of 18
`
`
`
`US 2008/0120195 A1
`
`May 22, 2008
`
`stores sensitive information for the user e. g. financial account
`information, confidential data, etc. The institution server 140
`may be part of a bank, a building society, a credit union, a
`stock brokerage, or other businesses holding sensitive data.
`Generally, the institution server 140 interacts with the agent
`110 via the network 120 during the enrollment process, a
`secure access transaction or a secure payment transaction, as
`described below.
`
`[0027] Enrollment Process
`[0028]
`FIG. 2 is a flow chart of method steps for enrolling a
`user in a security service, according to one embodiment ofthe
`invention. Although the method steps are described in the
`context of the system of FIG. 1, any system configured to
`perform the method steps, in any order, is within the scope of
`the invention. Generally, the enrollment process 200 is used to
`verify the identity of the user, establish multi-factors of
`authentication and bind the verified identity of the user to the
`multi-factors of authentication. As will be discussed herein,
`verifying the user identity during the enrollment process 200
`may include having the user answer specific personal ques-
`tions e.g. amount of last check deposited, date of last with-
`drawal, previous residential address, etc. The answers are
`then checked against a known answer from a data source,
`such as the institution and/or third party consumer data base
`to verify that the user is who the user claims to be. Some
`examples ofthe multi factors of authentication areithe iden-
`tification of the user, the identification of the machine, the
`biometric identity of the user, etc. It should be noted that the
`enrollment process is a one-time process for each user. After
`the enrollment process 200 is complete, the user is able to
`perform the secure access transaction 300 or the secure pay-
`ment transaction 400, described below, without having to
`repeat the enrollment steps. The process of verifying identity
`significantly reduces the chance ofa malicious party claiming
`to be the user. The process of binding the verified identity to
`the multi-factors of authentication eliminates the cumber-
`
`some process of proving the identity of the user at every
`transaction while providing the same level of security as
`though the user answered the identity questions, such as the
`specific personal questions each time.
`[0029] The enrollment process 200 begins in step 205,
`where the user accesses an enrollment webpage. In one
`embodiment, the enrollment webpage is generated by the
`institution server 140 and downloaded to the user machine
`
`105 when the user attempts to electronically access an
`account held with the institution. The enrollment webpage is
`configured to educate the user about the enrollment process
`and subsequently start the user identification process of step
`210.
`
`In step 210, the user is asked specific personal ques-
`[0030]
`tions in which only the user knows the answer in order to
`generate a verified user identity. The questions may relate to
`dynamic data that frequently changes and is known only by
`the institution, such as “when was your last deposit,” “what
`was the last check number,” “who was the check written to” or
`“who last deposited money in the financial institution”, “what
`was your last take home pay amount.” The personal questions
`may relate to static data that does not change, such as “what
`car did you drive before your current car,” “what is your social
`security number, date of birth, mother’ s maiden name” or
`“what address did you live at before your current address.” In
`step 215, the answers given by the user is compared to known
`answers in a data source, such as data at the institution or data
`held at third party data bases, to verify the identity ofthe user.
`
`If the answers do not match the known answers in the data
`
`source, then, in step 220, an exception process is activated.
`The exception process may include a verification of the user
`over the phone. Additionally, the exception process may
`include the user making a personal appearance at a specific
`location. The exception process in step 220 may be any type
`of process known in the art to verify the identity of the user.
`[0031]
`In step 225, the security agent 110 is downloaded to
`the user machine 105 after the identity of the user is estab-
`lished. In one embodiment, the security agent 110 is down-
`loaded directly from the institution server 140 via the network
`120. In another embodiment, the security agent 110 is down-
`loaded via the network 120 from the authentication server
`
`125. In any case, the security agent 110 is configured to
`interact with both the authentication server 125 and the insti-
`tution server 140.
`
`In step 230, a user name and password is selected to
`[0032]
`establish the first factor of authentication. In one embodi-
`
`ment, the user selects the user name and password. In another
`embodiment, the authentication server 125 or the institution
`sever 140 generates the user name and/or the password. In any
`case, the user name and/or password are used during the
`secure access transaction 300 and the secure payment trans-
`action 400, described below.
`[0033]
`In step 235, unique information from the user
`machine 105 is extracted by the security agent 110 to estab-
`lish the second factor of authentication. As set forth above, the
`information may include any number of different types of
`data associated with the user machine 105. Again, the infor-
`mation may include the IMEI or the IMSI which relate to
`mobile devices. The information may include the geolocation
`of the user machine 105. The information may also include
`machine level attributes, such as a Device ID, a Vendor ID,
`data at a SMM memory space, a memory type, a memory
`clock, hard drive serial number, chipset information, data at
`different locations in firmware, or information available in
`Microcode patch, a checksum of firmware, or BIOS. Further,
`the information may include system level attributes, such as a
`MAC address, a hard drive serial number, interrupt routing,
`GPIO routing, PCI DevSel routing, a map of hardware con-
`figuration, or an operating system registry. Additionally, the
`information may relate to system pattern extraction, such as a
`directory structure or a list of installed applications. No mat-
`ter what type of select data is extracted from the user machine
`105, the data or a combination of different types of data
`should be unique to the user machine 105 in order to establish
`the second factor of authentication.
`
`In step 240, the biometric information is collected in
`[0034]
`order to establish the third factor of identity. As set forth
`herein, the biometric data may include specific typing pat-
`terns of the user or biometric data generated by a biometric
`device, such as a fingerprint device or an iris pattern device.
`Although each factor of authentication was discussed in steps
`230, 235 and 240, it should be understood, however, that any
`of the factors may be an optional factor of authentication in
`the enrollment process 200 without departing from principles
`of the present invention.
`[0035]
`In step 245, the verified user identity from step 215
`is connected (or bound) to the the user identity profile 115
`which generally comprises the data collected in steps 230-
`240. The connecting (or binding) of the verified user identity
`to the factors of authenication allows the user to engage in the
`secure access transaction 300 or the secure payment transac-
`tion 400 without having to repeat the enrollment steps. In
`
`APPLE EXHIBIT 1107
`
`Page 13 of 18
`
`APPLE EXHIBIT 1107
`Page 13 of 18
`
`
`
`US 2008/0120195 A1
`
`May 22, 2008
`
`other words, the binding of the identity with the factors of
`authenication eliminates the cumbersome process of proving
`the identity of the user at every transaction while providing
`the same level of security as though the user answered the
`identity questions (the specific personal questions) every
`time.
`
`In step 250, a copy of the profile 115 is stored in the
`[0036]
`user profiles database 130 in the authentication server 125.
`During the secure access transaction 300 and the secure pay-
`ment transaction 400, the security agent 1 1 0 interacts with the
`authentication server 125 by comparing the data from the user
`and the user machine with the user profile 115 stored in the
`user profiles database 130 to establish the identity of the user
`before proceeding with the transaction. It should be noted that
`in one embodiment the user is able to use the secure access
`
`transaction 300 and the secure payment transaction 400 with-
`out providing any sensitive personal data, such as a credit card
`number, a debit card number, etc. In another embodiment, the
`user interacts directly with an institution to verify the identity
`of the user. Then the institution issues a one-time credential,
`such as an account number and/or password. The one-time
`credential is used during the authentication process of the
`user to establish the identity of the user before proceeding
`with the secure access transaction 300 or the secure payment
`transaction 400.
`
`Secure Access Transaction
`[0037]
`FIG. 3 is a flow chart of method steps for securely
`[0038]
`accessing a user account, according to one embodiment ofthe
`invention. Although the method steps