`WORLD INlELLECTUAL PROPERTY ORGANIZATION
`International Bureau
`INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT COOPERATION TREA'.I'Y (PCT)
`WO 96/00485
`(51) International Patent Classification 6 :
`H04Q 7 /38, G07F 19/00
`
`( 43) International Publication Date:
`
`4 January 1996 (04.01.96)
`
`(11) International Publication Number:
`
`A2
`
`(21) International Application Number:
`
`PCT/SE95/00719
`
`(22) International Filing Date:
`
`14 June 1995 (14.06.95)
`
`(30) Priority Data:
`08/264,939
`
`/
`24 June 1994 (24.06.94)
`
`us
`
`(71) Applicant: TELEFONAKTIEBOLAGET LM ERICSSON
`[SEISE]; S-126 25 Stockholm (SE).
`
`(72) Inventors: JONSSON, Bj(}m, Erik, Rutger; Dimv!lgen 36, S-
`175 38 Jiirfiilla (SE). FALK, Johan, Per; Gustav Trelles
`Vage 4, S-175 76 Jarf!illa (SE).
`
`(74) Agents: BORLIN, Bj(}m et al.; Telefonaktiebolaget LM Erics(cid:173)
`son, Patent Dept., S-126 25 Stockholm (SE).
`
`(81) Designated States: AM, AT, AU, BB, BG, BR, BY, CA, CH,
`CN, CZ, DE, DK, EE, ES, Fl, GB, GE, HU, IS, JP, KE,
`KG, KP, KR, KZ, LK, LR, LT, LU, LV, MD, MG, MN,
`MW, MX, NO, NZ, PL, PT, RO, RU, SD, SE, SG, SI, SK,
`TJ, TM, TT, UA, UG, UZ, VN, European patent (AT, BE,
`CH, DE, DK, ES, FR, GB, GR, IE, IT, LU, MC, NL, PT,
`SE), OAPI patent (BF, BJ, CF, CG, CI, CM, GA, GN, ML,
`MR, NE, SN, TD, TG), ARIPO patent (KE, MW, SD, SZ,
`UG).
`
`Published
`Without international search report and to be republished
`upon receipt of that report.
`
`(54) Title: USER AUTHENTICATION METHOD AND APPARATUS
`
`(57) Abstract
`
`Authorization for a user to use
`a service is provided by a modified
`pager which calculates a unique re(cid:173)
`sponse code to a transmitted chal(cid:173)
`lenge code based on the challenge
`code, an input personal identification
`number, and an internal key. The re(cid:173)
`sponse code is input to a simple ter(cid:173)
`minal, such as a telephone and if the
`unique response code is acceptable,
`the user may access the desired ser(cid:173)
`vice, such as cashless transactions or
`long distance phone service.
`
`AUTHENTICATION - - - ~ ~ - - - - - o f
`CENTER 30
`
`I
`I
`I
`_____ .. ______ J
`
`SERVICE
`NODE(S)
`26
`
`PERSONAL
`UNIT
`20
`
`TERMINAL
`22
`
`Amazon.com Exhibit 1006 - Page 1
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`FOR THE PURPOSES OF INFORMATION ONLY
`
`Codes used to identify States party to the PCT on the front pages of pamphlets publishing international
`applications under the PCT.
`
`AT
`AU
`BB
`BE
`BF
`BG
`BJ
`BR
`BY
`CA
`CF
`CG
`CH
`CI
`CM
`CN
`cs
`CZ
`DE
`DK
`ES
`FI
`FR
`GA
`
`Austria
`Australia
`Barbados
`Belgium
`Burkina Faso
`Bulgaria
`Benin
`Brazil
`Belarus
`Canada
`Central African Republic
`Congo
`Switzerland
`C6te d'Ivoire
`Cameroon
`China
`Czechoslovakia
`Czech Republic
`Germany
`Denmark
`Spain
`Finland
`France
`Gabon
`
`GB
`GE
`GN
`GR
`HU
`IE
`IT
`JP
`KE
`KG
`KP
`
`KR
`KZ
`LI
`LK
`LU
`LV
`MC
`MD
`MG
`ML
`MN
`
`United Kingdom
`Georgia
`Guinea
`Greece
`Hungary
`Ireland
`Italy
`Japan
`Kenya
`Kyrgystan
`Democratic People's Republic
`of Korea
`Republic of Korea
`Kazakhstan
`Liechtenstein
`Sri Lanka
`Luxembourg
`Latvia
`Monaco
`Republic of Moldova
`Madagascar
`Mali
`Mongolia
`
`MR
`MW
`NE
`NL
`NO
`NZ
`PL
`PT
`RO
`RU
`SD
`SE
`SI
`SK
`SN
`TD
`TG
`TJ
`TT
`UA
`us
`uz
`VN
`
`Mauritania
`Malawi
`Niger
`Netherlands
`Norway
`New Zealand
`Poland
`Portugal
`Romania
`Russian Federation
`Sudan
`Sweden
`Slovenia
`Slovakia
`Senegal
`Chad
`Togo
`Tajikistan
`Trinidad and Tobago
`Ukraine
`United States of America
`Uzbekistan
`Viet Nam
`
`..
`
`Amazon.com Exhibit 1006 - Page 2
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO 96/00485
`
`PCT/SE95/00719
`
`1
`
`USER AUTHENTICATION METHOD AND APPARATUS
`
`1)
`
`BACKGROUND OF THE INVENTION
`Field of the Invention
`The present invention involves a method and an apparatus
`for authentication of a user attempting to access an el~ctro(cid:173)
`nic service, and, in particular, providing an authentication
`unit which is separate from preexisting systems.
`
`5
`
`2)
`
`15
`
`25
`
`Description of Related Art
`Effective authentication methods and apparatuses have
`10 been in great demand to prevent fraud and theft of services.
`This demand
`increases with the explosion of electronic
`services in the current information age. Electronic services
`such as banking services, credit card services, automatic
`teller machine (ATM) services, account information services
`such as mortgage, savings and investment accounts, general
`information services such as data base services and networks,
`security services and long distance. phone services all require
`that a user be accurately identified for purposes of security,
`proper billing and avoidance of fraud. Recently, fraud in the
`20 cellular mobile telephone industry has placed so great a
`demand on effective authentication methods that a protocol has
`been standardized for cellular mobile systems.
`See, GSM
`03.20, European Telecommunications Standards Institute
`(ETSI), 1993, pp. 19-29 and U.S. Patent No. 5,282,250, herein
`incorporated by reference.
`systems have
`However,
`conventional authentication
`required specially equipped terminals with card readers such
`as ATMs or credit card gas station terminals, data terminals
`using a log-in procedure, or cellular mobile radio stations
`30 with built-in authentication capabilities. Credit cards
`having a magnetic strip provide only minimal security insomuch
`as the bearer of the card is usually permitted to conduct
`transactions without further authentication of the user's
`identification other than perhaps comparing a unauthenticated
`
`Amazon.com Exhibit 1006 - Page 3
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`~
`
`..
`
`WO 96/00485
`
`PCT/SE95/00719
`
`2
`
`signature on the card to a signature of the user. Even in
`transactions when signatures are required, the certainty of
`the user's identification is minimal.
`Other identity cards, such as ATM cards, require a log-on
`5 procedure with a password, or PIN. But the PIN, once learned
`by an unauthorized user, offers no security in authenticating
`the user if the user can duplicate the ATM card.
`These methods of authentication require specially
`equipped, and often dedicated, terminals, which raises the
`10 cost and reduces the availability of the associated electronic
`service. In other words, the prior art security systems often
`require a dedicated or customized terminal or modification to
`existing terminals, which greatly restricts the use of
`security systems to specific sites. Also, a user may use
`15 several electronic services, each service requiring an
`authentication procedure and/or personal
`identification
`number (PIN) or password, each procedure or password different
`from the others. As a subscriber to several electronic
`services, a user might end up with numerous passwords to
`remember. Even worse, he or she may be required to change
`these passwords periodically, thus having to remember if a
`password is still valid or not.
`Also, transactions requiring relatively certain authen(cid:173)
`tication have been largely unavailable from relatively simple
`terminals like telephones. For instance, home banking by
`telephone has been limited to transactions involving the bank
`customer's own accounts or using only the customer• s own
`telephone.
`
`20
`
`25
`
`3 o
`
`SUMMARY OF THE INVENTION
`The present invention overcomes these and other problems
`by providing an authentication procedure wherein the user
`carries a personal unit not limited to use with or physically
`connected to a
`terminal of any one specific electronic
`service. The personal unit can be used to authenticate a
`
`Amazon.com Exhibit 1006 - Page 4
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO 96/00485
`
`PCT/SE95/00719
`
`3
`
`5
`
`10
`
`user's identity through a variety of terminals associated with
`a variety of electronic services.
`The personal unit includes a receiver for receiving a
`transmitted challenge code and an algorithm unit which
`processes the challenge code, a user input such as a personal
`identification number (PIN) or electronically recognizable
`signature, and an internally stored security key for cal(cid:173)
`culating a response code according to a pre-stored algorithm.
`The response code is then sent to the service node and, if it
`is acceptable, access to the service is authorized.
`The basic method involves receiving a challenge code from
`a system, the user inputting a personal identification number
`or other recognizable input, and the personal unit generating
`a response code based on an internally stored algorithm. The
`15 PIN or other user input may be changed from time to time, and
`the challenge code and the response is unique for each
`transaction.
`The personal unit may receive and store a
`plurality of challenge codes for later use.
`The personal unit can be used with virtually any existing
`terminal of an electronic service without requiring the
`terminal to be modified or customized. For instance, the
`personal unit can be used with a standard telephone, whether
`a radio telephone or land-line telephone. The user can input
`the response code displayed on the personal unit through the
`telephone keypad or the personal unit can include a DTMF
`transmitter for direct in~ut of the response code into the
`microphone of the telephone. It follows that the keypad of
`any service terminal (e.g., a data terminal connected to a
`service computer) can be used to input the response code. If
`some other input device is used in a terminal, such as an
`acoustic input, a inductively coupled input, an optical input,
`radio transmitter (particularly if the terminal is by-passed
`and the response code is transmitted directly to the authen(cid:173)
`tication center), etc., the personal unit can include a
`In other words, the personal unit
`3 5 compatible output device.
`can be modified or equipped to be compatible with existing or
`
`20
`
`25
`
`30
`
`Amazon.com Exhibit 1006 - Page 5
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO 96/00485
`
`PCT/SE95/00719
`
`4
`
`perspective terminals, rather than having to modify the
`terminals to suit the authentication procedure.
`The same basic authentication procedure can be used for
`all services the user might wish to engage, the procedure
`5 being modifiable to suit any specific requirements of the
`electronic service. The user may have one personal unit for
`all the services he may wish to subscribe to, or several
`personal uni ts, each unit being usable with one or a subset of
`services to which the user has subscribed.
`
`10
`
`15
`
`20
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`The present invention will now be described with refe(cid:173)
`rence to the attached drawing figures in which:
`Figure 1 is a schematic diagram of an authentication
`pager system in accordance with the present invention;
`Figure lA is a schematic diagram of an authentication
`pager system with reference to specific communications in
`accordance with the present invention;
`Figure 2 is a perspective view of a personal unit in
`accordance with the present invention; and
`Figure 3 is a flowchart outlining the authentication
`process in accordance with the present invention.
`
`DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
`Hardware of the System
`Referring to Figure 1, the present invention includes a
`25 personal unit 20 for generating a response code, a terminal 22
`for initiating service access and conducting service, and for
`inputting the response code to a service access network 24 or
`directly to a separate authentication center JO. The service
`access network transmits data between the terminal 22 and a
`30 service node 26. The service node 26 generates a challenge
`code and requests that the challenge code be sent to the
`personal unit 20 via an authentication challenge network 28.
`Alternatively, the separate authentication center 30 can
`generate the challenge code upon request by the service node
`
`Amazon.com Exhibit 1006 - Page 6
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO 96/00485
`
`PCT/SE95/00719
`
`5
`
`5
`
`26. The terminal 22 can be a land-line telephone, a radio
`telephone, an ATM, a computer with a modem (modulator/demodu(cid:173)
`lator), a facsimile machine, or virtually any other type of
`terminal capable of receiving an input directly or indirectly
`from the personal unit and relaying information to a service
`node 26.
`The service node 26 may be any form of electronic
`service, such as banking or financial services, credit card
`services,
`long distance telephone services,
`information
`10 services, etc. The type of service provided is not germane to
`the present invention. One of the advantages of the personal
`unit of the present invention is that it can be used for
`authenticating the user of any service.
`In an exemplary embodiment, the authentication center
`15 30, whether separate or as part of the service node 26,
`includes a radio transmitter, storage for one or more al(cid:173)
`gorithms, and a comparator to compare the received response
`code to an expected response code. The authentication center
`30 can be realized in the form of additional software added to
`2 O a preexisting pager system or other radio communication
`system. The separate authentication center 30 enables many
`service nodes or networks to use one authentication center 30.
`This permits changes in the authentication procedure to be
`done at one location for all applications and permits one
`25 authentication procedure to be used for more than one service,
`and perhaps all services to which a user has subscribed.
`The service access network 24 can be in the form of any
`communication system, such as a public or private telephone
`network, telegraph, or other land-line system, cellular radio
`telephone network, or other radio communication network. The
`form of the service access network 24 can be in any form
`capable of transmitting information from the terminal 22 to
`the service node 26. The service access network 24 in some of
`the examples provided below is in the form of a preexisting
`telephone network.
`
`30
`
`.35
`
`Amazon.com Exhibit 1006 - Page 7
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO 96/00485
`
`PCT/SE95/00719
`
`6
`
`The authentication challenge network 28 can be the same
`network as the service access network 24, or preferably a
`distinct and separate network. The authentication challenge
`network 28 can be any communication system, such as a public
`5 or private telephone network, telegraph, or other land-line
`system, cellular radio telephone network, or other radio
`communication network. The authentication challenge network
`28 can be in any form capable of transmitting information from
`the service node 26 (or authentication center 30) to the
`10 personal unit 20.
`In one embodiment, the authentication
`network is a preexisting wide area pager system capable of
`broadcasting a personal unit identification number and
`additional information, such as at least one challenge code.
`Exiting pager systems which can transmit at least the tele-
`15 phone number the user is being prompted to call have suf(cid:173)
`ficient capabilities to function with the personal unit
`disclosed herein. Any form of radio communication system can
`provide the optimum security offered by the present invention
`because only a specific receiver properly generate the
`20 expected response when the proper PIN or the like is input.
`However, the user can be required to manually input a chal(cid:173)
`lenge code provided over an interactive service access network
`24.
`
`30
`
`In the exemplary embodiment of Figure 2, the personal
`25 unit 20
`includes a receiver unit 21a for receiving the
`challenge code, and an algorithm unit 21b, operatively
`connected to the receiver unit 2 la and pref er ably including an
`input device for receiving a user input, such as a security
`number, e.g., a PIN (Figure 2). The receiver unit 21a can be
`in the form of a pager having a digital display capable of
`displaying a caller's telephone number or the like. The
`personal unit 20 can be essentially a conventional pager which
`is modified to include, for example, a receiver 21b, an input
`keypad 21c and optionally a dual tone multi-frequency (DTMF)
`35 generator 21d (if automated input of the displayed response
`code is preferred where the terminal 22 is connected to some
`
`Amazon.com Exhibit 1006 - Page 8
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO96/00485
`
`PCT/SE95/00719
`
`7
`
`10
`
`form of audio communications network). The personal unit 20
`may include a transmitter 2lf in an embodiment where the
`service access network includes an radio uplink, or where the
`response code is directly sent to the authentication center 30
`The algorithm unit 21b calculates a
`5 or service node 26.
`response code in accordance with the received challenge code,
`an appropriate input security number and optionally a secret
`key (a secret number or code provided by the supplier of the
`personal unit) entered into storage in the personal unit at
`the time of subscription. Algorithms of this type are known
`in the art or readily derived therefrom. See, GSM 03.20,
`Appendix c.2, algorithm A3,
`for example.
`The specific
`algorithm used in a given embodiment is not germane to the
`present invention. A memory 21e is provided to store the
`15 algorithms, the secret key, received challenge codes and
`computer programming as a specific embodiment makes ex(cid:173)
`pedient. The pager unit may be microprocessor driven.
`This provides a triple check on the identity of the user,
`requiring information from three separate sources (user: PIN,
`20 service node or authentication center: challenge code, and
`provider of the personal unit: secret key), thereby increasing
`the relative security of the transaction against fraud or
`other unauthorized use.
`the personal unit is a
`In a preferred embodiment,
`25 separate unit, thereby minimizing or avoiding the need to
`customize a communication device such as a cellular telephone.
`The receiver unit, input device, and the capacity for perfor-
`ming
`the necessary
`calculations exists in conventional
`cellular
`telephones
`and personal communication units,
`allowing the present
`invention to be implemented through
`software.
`The challenge code can either be unique to a given
`transaction or broadcast, for example, to all such personal
`units in use at a given time. The response code is to be
`.3 5 unique to each transaction in either scenario. Also, in
`either scenario, the challenge codes should be changed on a
`
`30
`
`Amazon.com Exhibit 1006 - Page 9
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO 96/00485
`
`PCT/SE95/00719
`
`8
`
`5
`
`periodic or a random basis to provide additional security for
`transactions. similarly, the user input, such as a PIN, can
`be updated at the user's discretion or on a regular basis.
`Even the algorithm can be changed from time to time, or more
`than one algorithm can be stored in the personal unit 20,
`which can be either cyclically used in a predetermined order
`or changed after a predetermined number of uses. As long as
`the authentication center 30 can determine what algorithm,
`what secret key (if used), and what user input should have
`10 been used for a given transaction, the user can be authen(cid:173)
`ticated.
`The algorithm unit 21b calculates a response code based
`on the received challenge code, the user input (e.g., PIN),
`and optionally the secret key. Thus, for a correct response
`15 code to be generated, the challenge code, the user input and
`the secret key (if used) have to be in accordance with the
`expectations of the service node 26 or authentication center
`30 if access to the service is to be granted. The service node
`26 or the authentication center 30 is provided with enough
`information to be able to anticipate the proper response code.
`Thus, for a transaction to be authorized, the user must know
`the appropriate user input (e.g., PIN), be in possession of
`the correct personal unit and receive the appropriate chal(cid:173)
`lenge code.
`A conventional twelve button (0-9, *and#) keypad 21c is
`preferable provided for inputting the user input as shown in
`Figure 2. Alternatively, a reduced or expanded keypad can be
`used with lesser or greater security being afforded thereby.
`A character recognition device which can recognize a signature
`3 o or other writing can be used for the user input device. Also,
`fingerprint or retinal scanner can be used for added security
`in appropriate situations.
`For example, the challenge code may have 10 decimal
`digits, the secret key has 12 decimal digits, the PIN has 4
`35 decimal digits, and the response code has 8 decimal digits ..
`
`20
`
`25
`
`Amazon.com Exhibit 1006 - Page 10
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO 96/00485
`
`PCT/SE95/00719
`
`9
`
`Authentication Process
`A user initiates a service access through terminal 22 by
`transmitting the request over a service access network 24 to
`a service node 26. The service node 26 does not immediately
`initiate the services offered. Rather, it generates a
`challenge code or causes a challenge code to be generated in
`an authentication center 30. The challenge code is sent over
`an authentication challenge network 28 to the personal unit.
`
`5
`
`When the personal unit 20 receives an authentication
`10 challenge code, it prompts the user to input a PIN or other
`identifying information, and generates a response code by an
`algorithm having the challenge code, an internal security code
`and the PIN as variable. Alternatively, several challenge
`codes can be received and stored in the personal unit, and the
`l.5 user prompted for the user input when attempting access to an
`electronic service. The user inputs a PIN, for example, via
`a keyboard. However, known character recognition devices can
`be used to recognize a signature, or writing generally, which
`is input on a pad via a stylist. Other possibilities include
`20 a finger print or retinal scan devices, though the expense of
`these devices makes a practical embodiment less likely except
`for transactions requiring the highest form of security.
`The
`internally stored algorithm
`then generates a
`response code based on the challenge code, the user input, and
`25 optionally a secret key.
`The response code is either displayed on a display 20a
`(Fig. 2) for manual input to terminal 22, or electronically,
`acoustically or optically input to terminal 22 which then
`transparently transmits the response code over the service
`30 access network 24 to the service node 26. Alternatively or
`additionally,
`the response can be transmitted over the
`authentication network 28 to the authentication center 30
`which then may send the response to the service node 26, or
`compare the response to the expected response and forward the
`result to the service node 2 6.
`If the response code is
`
`3 5
`
`Amazon.com Exhibit 1006 - Page 11
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO 96/00485
`
`PCT/SE95/00719
`
`10
`
`15
`
`acceptable, the service node 26 permits the user to access the
`services offered.
`The response code is compared to an
`expected response code, which, in exemplary embodiments, may
`be pre-stored or generated using the same algorithm and
`5 variables. Because the communication link~ in the authen(cid:173)
`tication challenge network, and perhaps the service access
`network may suffer from noise (e.g., radio interference), some
`tolerance may be given in the result of the comparison.
`In
`other words, the response code and the expected" response code
`10 do not have to be exactly the same to gain access to the
`service, particularly when using an analog, rather than a
`digital, transmission format.
`With reference to the flow chart of Figure 3, an exemp(cid:173)
`lary authentication process begins at step Sl0 where a user
`initiates communication to a service node 26 via the service
`access network 24. This can be as simple as picking up the
`telephone and dialing an appropriate telephone number, which
`may be pre-stored in the personal unit. At step S12, the
`process may include entering a user number or identity, such
`20 as used for a data service. As shown at step S14, the service
`access network 24
`transparently communicates an access
`request from the user to the service node 26. The service
`node 26, in response to the access request, requests authen(cid:173)
`tication via an authentication challenge network 28 by sending
`25 a challenge code (either generated in a separate challenge
`center 30 or in the service node 26) to the user's personal
`unit 20, as shown at step SlS. Alternatively, one or more
`challenge codes can be sent to the personal unit in advance.
`The personal unit 20 may display a prompt to prompt the user
`to input, for example, a security code, such as a PIN, or the
`terminal 22 may provide the prompt. Upon entry of the user
`input, the algorithm unit 21b of the personal unit 20 cal(cid:173)
`culates and sends a response code either to the display or to
`a dual tone multi-frequency generator, or both. Other output
`35 devices can be used, such as radio wave (e.g., radio transmit(cid:173)
`ter or
`transceiver),
`infrared, visible or ultraviolet
`
`30
`
`Amazon.com Exhibit 1006 - Page 12
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO 96/00485
`
`PCT/SE95/00719
`
`11
`
`5
`
`generators (e.g., LED's or semiconductor lasers), electrical(cid:173)
`ly inductive couplers (e.g., induction coils), or forms of
`acoustic devices other than a DTMF generator.
`The user then either manually inputs the displayed
`response code to the terminal 22, or the personal unit 20
`directly inputs the response code in the case of a different
`type of output device. For example, when a dual tone multi(cid:173)
`frequency
`(DTMF) generator is used with a communication
`system, the user presents generated tones to a microphone of
`10 such a system.
`The service access network 24 transparently transmits
`the response code to the service node 26, which determines
`whether it is acceptable. If the authentication center 30
`performs the comparison of the received response code to the
`15 expected response code, the service node 26 will transmit the
`response code to the authentication center 30. Alternatively,
`the personal unit can send via radio transmission the response
`directly to the authentication center 30 and the authen(cid:173)
`tication center 30 can inform the service node 26 of the
`results. If the response code is not acceptable, the user's
`access to the service is denied and the process returns to
`either initiating the entire process or re-requesting the
`identification information. Optionally,
`the system can
`disable the personal unit if a predetermined number of denied
`25 access attempts occur or if the personal unit 20 has been
`reported as stolen.
`If the response code is acceptable, the service is
`accessed and the user can perform the desired, available
`functions through the service node.
`With reference to Figure lA, the basic procedure is
`examined with reference to specific, numbered communications
`of an exemplary embodiment.
`( 1) ENTER USERID: PTOEXAN.
`
`20
`
`30
`
`35
`
`(2) Service node receives request for a service from
`PTOEXAN. This USERID is connected to Patent and
`Trademark Office Examiner Andersson. Service node
`
`Amazon.com Exhibit 1006 - Page 13
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO 96/00485
`
`PCT/SE95/00719
`
`12
`
`5
`
`10
`
`15
`
`"Please
`request for authentication:
`sends a
`authenticate this user: Examiner Andersson."
`
`(3) Challenge code is sent to Examiner Andersson's
`authentication pager.
`
`( 4) ENTER PASSWORD, which is sent to the data terminal
`from the service node.
`
`(5) Examiner Andersson enters PIN number to activate
`calculation of response code in personal unit.
`Response code is shown on the display of the per-
`sonal unit, and then manually input to the data
`terminal. Alternatively, the response code can be
`sent via a radio link directly to the authen(cid:173)
`tication center.
`
`(6) The response code is sent from the service node to
`the authentication center.
`
`(7) Authentication center compares the received res(cid:173)
`ponse to the expected response and sends a message
`to
`the service node
`informing node authen(cid:173)
`ticated/not authenticated.
`
`2 o
`
`( 8) Authentication approved/not approved to the user.
`As a concrete example of the present invention, a home
`banking application will be described. In this application,
`the intention is to transfer money from the owner's account to
`a different account, such as a creditor's account. The user
`25 can pay his bills at home using a telephone and a personal
`unit. In this example, all authentication steps performed by
`the user are manual. The resulting dialogue is as follows:
`User:
`Initiates a telephone call by cal(cid:173)
`ling a payment service telephone
`number of a bank.
`
`30
`
`Bank:
`
`User:
`
`Bank:
`
`"Enter your account number."
`
`11 4219231459#."
`
`"Please enter the following digits
`into your authentication unit - 1,
`2, 3, 2, 8" (challenge code). Al(cid:173)
`ternatively, if the challenge code
`is broadcast or previously stored
`in the personal unit, then this
`step is skipped.
`"Please enter your personal
`tification number."
`
`iden(cid:173)
`
`35
`
`40
`
`Amazon.com Exhibit 1006 - Page 14
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO96/00485
`
`PCT/SE95/00719
`
`User:
`
`Bank:
`
`User:
`
`Bank:
`
`User:
`
`Bank:
`
`13
`
`Enters his PIN into the personal
`unit. The personal unit presents a
`challenge response, e.g., 19283746,
`on the personal unit's display.
`The user enters "19283746" on the
`telephone keypad.
`
`"Enter account number of account to
`receive payment."
`
`"4313950678#."
`
`"Account of Ms. Jane Doe, Anytown,
`USA. Enter amount. "
`
`"$500.00."
`
`"$500. 00 is credited to the account
`of Ms. Jane Doe. Transaction refe(cid:173)
`rence number 123456."
`
`~
`
`5
`
`10
`
`15
`
`Hangs up.
`User:
`This procedure may be complicated by routines for
`interrupting if an error has occurred, routines for handling
`more than one transaction during a single call, routines for
`20 using another home telephone, etc.
`A second exemplary procedure involves charging for long
`distance calls using a special service node (SSN).
`In this
`example, the authentication is provided when charging a long
`distance call through a long distance telephone company.
`The special service node telephone is,
`User:
`e.g., with the prefix 900, followed by
`the long distance telephone number to be
`called, e.g., 900 555-1212.
`
`25
`
`SSN: "Give ID and challenge response."
`
`30
`
`35
`
`40
`
`User:
`
`Enters PIN into a personal unit (which
`has received a radio transmitted chal(cid:173)
`lenge code) and the personal unit pre(cid:173)
`sents a challenge response on its dis(cid:173)
`play, e.g., "19283746." A button is then
`pressed and the personal unit's speaker
`is held against a microphone of the
`telephone giving an acoustical DTMF
`output
`to
`the
`SSN,
`e.g.,
`"#0859032843#19283746# 11 which includes
`a personal identity number and followed
`by a response to the challenge code.
`
`Amazon.com Exhibit 1006 - Page 15
`Amazon.com, Inc. v. DynaPass IP Holdings LLC
`IPR2024-00283 - U.S. Patent No. 6,993,658
`
`
`
`WO 96/00485
`
`PCT/SE95/00719
`
`14
`
`5
`
`SSN: Authenticity of the response code is checked
`and, if acceptable, the connection is provi(cid:173)
`ded.
`The same personal unit can be used for both the above
`transactions. A more automatic transaction can be implemen(cid:173)
`ted. For instance, the personal unit may include a receiver
`and a DTMF transmitter, in which case, the user merely
`initiates access to a service and at a prompt inputs a user
`input, such as a PIN.
`To avoid waiting for the paging system to transmit
`challenges over a wide area paging network, for example, it is
`possible to transmit several (e.g., three) challenge codes
`which are stored in the personal unit 2 O until used .when a PIN
`is entered to generate a response code. The response code
`subsequently generated is not to be used more than once if
`repeating an entry due to error.
`The authentication center 3 O can determine when