(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2007/0042755 A1
`(43) Pub. Date:
`Feb. 22, 2007
`Singhal
`
`US 20070042755A1
`
`(54) SYSTEMS AND METHODS FOR
`TWO-FACTOR REMOTE USER
`AUTHENTICATION
`
`(76)
`
`Inventor:
`
`Tara Chand Singhal, Torrance, CA
`(US)
`
`Correspondence Address:
`Tara Chand Singhal
`P 0 Box 5075
`Torrance, CA 90510 (US)
`
`(21)
`
`App]. No.:
`
`11/503,825
`
`(22)
`
`Filed:
`
`Aug. 13, 2006
`
`Related U.S. Application Data
`
`(60)
`
`Provisional application No. 60/709,955, filed on Aug.
`20, 2005.
`
`Publication Classification
`
`(51)
`
`Int. Cl.
`
`H04M 1/66
`
`(2006.01)
`
`(52)
`
`(57)
`
`ABSTRACT
`
`This invention discloses a system of remote user authenti-
`cation to an authentication server, with a telephone interface
`to the authentication server that only receives routed calls
`that have originated from a cell phone in a cellular network
`and a call handling logic function which routs only those
`calls to the authentication server over the interface that have
`
`originated from a cell phone with a subscriber identity
`module (SIM) card and for which the cellular company
`maintains an individual subscriber identification data. In a
`
`diflerent embodiment a remote user authentication system
`has different
`interfaces and different authentication pro-
`cesses that correspond with a telephone network interface
`and with a cellular telephone company network interface,
`enabling the authentication system to have different methods
`of authentication depending upon which interface a remote
`user connection authentication request originated from. The
`method uses the SIM card of a cell phone as a “something
`you have” factor as part of a two-factor authentication
`mechanism to an authentication server. The telephone net-
`work uses a call back feature.
`
`10A
`
`Authentication server 30
`
`Authentication
`Process
`
`VoIP
`
`Gateway 35A
`
` Cellular 20
`
`
`
`
`Cellular Network 40
`
`Telephone
`
`Authentication
`database 34
`
`Company #1
`
`
`TWILIO, INC. EX. 1009
`Page 1
`
`Cellular 20
`Telephone
`Company #2
`
`35
`
` Cellular 20
`Telephone
`Company #3
`
`
`
`TWILIO, INC. EX. 1009
`Page 1
`
`

`
`
`
`
`
`
`
`
`US 2007/0042755 A1
`Patent Application Publication Feb. 22, 2007 Sheet 1 of 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`OM._0>._0mCO_u60_u_._0£u:<
`
`
`
`co:mo_Em£:<
`
`
`
`mmwooi
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`n:O>
`
`
`
`
`
`<mm>m>>Bm0
`
`:o:mo_Em£:<om.m_:__mo
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`vmmmmnmgmcm:ocQm_8.
`
`
`
`
`
`
`
`
`E>cmdEo0
`
`
`
`
`
`
`
`om.m_:__mo
`
`o:ocqo_o.r
`
`
`
`
`
`mu>cmqEoo
`
`
`
`
`
`
`
`oma_=__8
`
`mcocqm_o._.
`
`
`
`
`
`F239".
`
`
`
`
`
`
`
`mt>cmaEoo35m:
`
`
`
`395.3__8
`
`
`
`
`
`
`
`3
`
`
`
`
`
`
`
`xsémz:m_:__mO
`
`
`
`
`
`
`
`
`
`
`
`
`
`TWILIO, INC. EX. 1009
`Page 2
`
`TWILIO, INC. EX. 1009
`Page 2
`
`
`
`
`

`
`
`
`
`
`
`
`
`US 2007/0042755 Al
`Patent Application Publication Feb. 22, 2007 Sheet 2 of 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`N9_=m_n_
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mo_>._mmmE0:m__mom:o;am_9mc_Eoo:_mmofi>_:om>_mo99_m>._mmm?_a%<
`
`
`
`
`
`
`
`
`
`
`
`@513nm_Ew>cmmnm>m:E5m__mowmofi>_covtozamc.m_:=mom53.mc_Em2:ou_
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mmvtozpmc.m_:__momco_mEo..m:o3.13u9m:_m_.omamE5_mE9m:o
`
`
`
`
`
`
`
`
`
`
`
`
`
`vm.>:maEoo__mo9:£_>>Esooomum_Em>>E:mu_.mE9m:om952_mc_>oEmo_>5m:8
`
`
`
`
`
`
`
`
`
`
`
`om.co:mo_Ew£:mEm:90:5.5.928._m>mc:o>RES:m9Em_m>_:Umcmmm.émwmmnmumo
`
`
`
`:_um:2m-oam_3.:E_m__moa5:3__mom:_Eooc_9:E95:39:mcE2m._>_
`
`
`
`@585mwm_2cm£o.umc8mEHo::mmmmmmr:..__m.oumN__o£:mc:..cmm::m_o:::c<
`
`
`
`
`
`
`
`om.:o:mo_Eo£:mEm:99:95..>>oS_:o>:mc>>..B.903ocoommm.mmZn.6>:cw.8.mmm>_m53mc_EEo.n_
`
`
`
`
`
`mm.mo_Emm9:5,.mmmmmmE
`
`
`
`
`
`
`
`52:5:co:moc_Em_o__m:om_mamBbwcm3_mE9m:ooo_>6mm5m:_a_a>
`
`
`
`
`
`
`
`mm._mm:9:mczmoscmfism228mmmnmfic35$9::_=mcE8mE
`
`
`
`
`
`
`
`._mE9w:omo_>._mmm58mo_?_mmmmc_u_>o._n_
`
`TWILIO, INC. EX. 1009
`Page 3
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`TWILIO, INC. EX. 1009
`Page 3
`
`

`
`
`
`
`
`
`
`
`US 2007/0042755 A1
`Patent Application Publication Feb. 22, 2007 Sheet 3 of 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`<mm>m>>w..mO
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mu>cmqEoo
`
`
`
`
`
`m2:9“.
`
`
`
`
`
`
`
`
`
`:o:8_E9_s<
`
`
`
`Eowmnmfiu
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mmmmwmoo._n_m_o>
`
`on._o>._om:o=mo=:w_.=:<__mm.>\m.uwm%_m_an.w_¢nna
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`cmmmma
`
`
`
`
`
`m:o;am_o._.
`
`mu>cmQEoo
`
`oco;am_8.8._m_:__w0
`
`
`
`
`
`
`
`
`
`
`V—.Em:
`
`nunD7
`
`
`
`
`
`
`
`
`
`
`
`
`
`m:>__w
`
`om._m_:__m0
`
`mmE893__8
`
`TWILIO, INC. EX. 1009
`Page 4
`
`E>:mQEOO
`
`m:o;ao_m._.
`
`om:m_:=mO
`
`
`
`
`
`
`
`owxssmz.m_=__mo
`
`
`
`
`
`>:mQEoo
`
`
`
`>_®._®Em_.._camE..Nv>:maEoo.m__m$wc_Wmmfi._mm:m»_\%mw.,_u.w&o_%_wmnr._m.u_w.,w\_:o_..mo_Em£:<m:o;qm_99:359.95
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mc9._ao_m._.
`
`mow3.8:
`
`
`
`
`
`
`
`.8.m:_m_.oxmm
`
`
`
`
`
`._8§__m_.on:
`
`
`
`TWILIO, INC. EX. 1009
`Page 4
`
`
`
`
`
`
`
`
`
`
`
`

`
`
`
`
`
`
`
`
`US 2007/0042755 A1
`Patent Application Publication Feb. 22, 2007 Sheet 4 of 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`m:m...__movwucofismcscm:.6mmmmmwc.mwm_2cm£o
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`=>>OC9.9.2ob.cm6wmmwmmrcm9__5>__%ncm.mwmnfimu_._o__.m.o__Em£:mcm:_Tz_n_mc_&_.m>
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`<5._.-z_n_m9.0bucm8...E9m>m
`
`
`
`
`
`
`
`
`
`
`
`co_.mo_Eo£:m9:hoE996mwcoawm;m>:om.9:_cm3m_.__EE9n_
`
`
`
`
`
`
`
`
`
`
`
`FM<mmwoo._n_:o=mu=:o5:<
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`gown®”—OE®._m£BmozcmfizmOwmmmnflmu9:E9:®:_>_.t®>
`
`
`
`mmm.__movwN_._o£:m::
`
`
`
`
`
`v2:9".
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`m>_.om._mE_cm3m:_EE9n_cm*0mmmmmmEm9__5>__%mm_2:m£o.z_n_m53:58..mmmnmymcEm_E.m__mot.Ew.,w>m9:EEmeaimmmcoamm.
`
`
`
`
`
`
`
`
`
`
`
`c_r-2_n_m_£5».E935m_8598:8mcoE996m53xomnm:___mo
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`05.m_FmqmgmEta>_m..m_nmEE_mmmnfimu9:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`new_N-z_n_E>.5:®.8mc_EE9n_D_.mgmmzBQEQ9:Bmozcmfism29mo_Em£:<9mmmnfimbEH_mciomco
`
`
`
`
`
`<wm.mmmpSmcE996co__mo_Eo£:m.
`
`
`
`
`
`
`
`
`
`
`
`
`
`cm5:29:m.8E.m__momc_Eoo:_9:@5020cammc_>Em>
`
`
`
`
`
`
`
`
`
`
`
`
`
`NMmmmwoohm_._O_uNU_u:0_.._u5<
`
`
`
`
`
`
`
`
`
`TWILIO, INC. EX. 1009
`Page 5
`
`TWILIO, INC. EX. 1009
`Page 5
`
`

`
`
`
`
`
`
`
`
`US 2007/0042755 A1
`Patent Application Publication Feb. 22, 2007 Sheet 5 of 5
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`onElam
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`$8835
`
`
`
`
`
`
`
`
`
`
`
`m2:9".
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mkwmm
`23%
`2&8
`mtbwm,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`.__movm~._.o£:mc:W0mmmmmmEQ._®>__®D
`
`
`
`
`
`
`
`
`
`
`
`
`
`Num:__9__mo230..ZmI._.
`
`
`
`
`:o_.mo_=$£:<N%wC_:_
`
`
`Am“.m:__.8.6583:9m>_au63:5::o:m:=mmBH:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`om_onE:zcozmczmooowuzzaomm_m_oow
`
`
`
`
`
`mmmm»cozmczmmommmm:mo_._.o>_.n_
`
`32%oE_._.mm952
`
`
`
`omu__wooEam_mom0vmmmm:uu<
`
`8“moo
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`:o=§_2.<3...._mo._
`
`
`
`
`
`
`
`
`
`
`
`.emn_.omn=m_m:u_>_u:_n3.....mm_u.mE2m:£n__
`
`
`
`
`
`
`
`BB8mm—.
`
`
`
`mm2:R2a__mommgoo.95.3=8
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`332.9mm=o_.8_=§==<223=8
`
`E:ooo<0wmmnfimom_mmmnfimo<mmmnsmoOx.Enrczz«C3000/xON52:32
`
`
`
`
`
`
`
`
`
`o\.52:52E:oou<
`
`
`
`3VE_2_m
`
`
`
`
`
`
`
`
`
`
`
`mu>3cozecocm
`
`ENE_>__m
`
`
`
`
`
`
`
`
`
`
`
`
`
`E.mmm_u.mE2m:o
`
`
`
`umooS._._t<.__._n_Ro__m__mo
`
`
`
`
`
`D2<
`
`mmd
`
`
`
`
`
`
`
`Q.mamaEzooum
`
`
`
`:8«mmmamE8_>__m
`
`
`
`
`
`
`
`TWILIO, INC. EX. 1009
`Page 6
`
`
`
`
`
`
`
`
`
`
`
`vvo_mo_9___u=£___mo>:maEoo__wo
`
`TWILIO, INC. EX. 1009
`Page 6
`
`
`
`
`

`
`
`
`US 2007/0042755 A1
`
`
`
`Feb. 22, 2007
`
`
`
`
`
`SYSTEMS AND METHODS FOR TWO-FACTOR
`
`
`
`
`REMOTE USER AUTHENTICATION
`
`
`
`
`
`
`
`access to banks where the number of such customers is in
`
`
`
`
`
`
`
`
`
`
`hundreds of thousands if not in millions.
`
`
`
`
`
`
`
`
`
`
`
`[0007]
`In light of the above, it is an objective of the present
`
`
`
`
`
`
`
`
`
`
`
`
`invention to have systems and methods that enables two-
`
`
`
`
`
`
`
`
`factor remote user authentication without a security token
`
`
`
`
`
`
`
`and biometrics and that would be easy to scale up to large
`
`
`
`
`
`
`
`
`
`
`
`number of users and customers of a business.
`
`
`
`
`
`
`
`
`
`
`
`
`
`SUMMARY
`
`
`
`[0008]
`In prior art, depending upon where a telephone call
`
`
`
`
`
`
`
`
`
`originates, a caller has the freedom to set up and make his
`
`
`
`
`
`
`
`
`
`
`
`
`own caller id. For example, for calls that originate in a
`
`
`
`
`
`
`
`
`
`
`
`Private Branch Exchange (PBX),
`the caller id is pro-
`
`
`
`
`
`
`
`
`grammed by the PBX owner and may be set up to be any
`
`
`
`
`
`
`
`
`
`
`
`
`
`number. In calls originating in an Internet Protocol (IP)
`
`
`
`
`
`
`
`
`
`based phone, the caller id is made up by the call originator
`
`
`
`
`
`
`
`
`
`
`
`
`and it is merely forwarded by the telephone network. Hence,
`
`
`
`
`
`
`
`
`
`
`in prior art, at the call destination, such as at computer
`
`
`
`
`
`
`
`
`
`
`
`system that may be a part of a remote authentication system,
`
`
`
`
`
`
`
`
`
`there is no assurance that the caller id is reliable and can be
`
`
`
`
`
`
`
`
`
`
`
`
`
`relied upon to uniquely identify and authenticate a caller.
`
`
`
`
`
`
`
`
`
`[0009] The current invention discloses that the Subscriber
`
`
`
`
`
`
`
`
`Identity Module (SIM) card of a cell phone may be used and
`
`
`
`
`
`
`
`
`
`
`
`would work equally well as a “what you have” factor of
`
`
`
`
`
`
`
`
`
`
`
`remote user authentication with added features of this inven-
`
`
`
`
`
`
`
`
`tion and that may replace the prior art security tokens. GSM
`
`
`
`
`
`
`
`
`
`
`
`based cell phones use a Subscriber Identity Module (SIM)
`
`
`
`
`
`
`
`
`
`card. The SIM card provides identity verification and
`
`
`
`
`
`
`
`
`authentication as well as confidentiality of the communica-
`
`
`
`
`
`
`
`tion to the cell phone company.
`
`
`
`
`
`
`[0010] When a call originates over a cell phone, the cell
`
`
`
`
`
`
`
`
`
`
`
`service provider generates the caller id that is mapped from
`
`
`
`
`
`
`
`
`
`
`the SIM. The SIM, a personalized and coded physical card,
`
`
`
`
`
`
`
`
`
`
`is embedded in the phone and the phone is in the personal
`
`
`
`
`
`
`
`
`
`
`
`
`possession of the caller. Hence, when the call destination
`
`
`
`
`
`
`
`
`
`system is assured with the features of this invention that the
`
`
`
`
`
`
`
`
`
`
`
`call originates on the cell phone via a cell network, the caller
`
`
`
`
`
`
`
`
`
`
`
`id is relied upon by the destination system. This invention
`
`
`
`
`
`
`
`
`
`
`discloses features and different embodiments that assure a
`
`
`
`
`
`
`
`
`call destination system that the caller id can be relied upon
`
`
`
`
`
`
`
`
`
`
`
`as an equivalent “what you have” factor for identification
`
`
`
`
`
`
`
`
`
`and authentication.
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`[0011] The novel features of this invention, as well as the
`
`
`
`
`
`
`
`
`
`
`
`invention itself, both as to its structure and its operation, will
`
`
`
`
`
`
`
`
`
`
`
`be best understood from the accompanying drawings, taken
`
`
`
`
`
`
`
`
`in conjunction with the accompanying description, in which
`
`
`
`
`
`
`
`
`similar reference characters refer to similar parts. The draw-
`
`
`
`
`
`
`
`
`ings are:
`
`
`[0012]
`FIG. 1 is a block diagram that illustrates a version
`
`
`
`
`
`
`
`
`
`
`of the current invention of a two-factor authentication sys-
`
`
`
`
`
`
`
`tem.
`
`
`
`
`[0013]
`FIG. 2 is a flow diagram that illustrates a version of
`
`
`
`
`
`
`
`
`
`
`
`the current invention of a two-factor authentication system.
`
`
`
`
`
`
`
`
`[0014]
`FIG. 3 is a block diagram that illustrates another
`
`
`
`
`
`
`
`
`
`version of the current invention of a two-factor authentica-
`
`
`
`
`
`
`
`tion system.
`
`
`[0015]
`FIG. 4 is a flow diagram that illustrates a version of
`
`
`
`
`
`
`
`
`
`
`
`the current invention of a two-factor authentication system.
`
`
`
`
`
`
`
`
`
`
`TWILIO, INC. EX. 1009
`Page 7
`
`CROSS REFERENCE TO RELATED
`
`
`
`APPLICATIONS
`
`
`
`
`
`[0001] This application claims priority on Provisional
`
`
`
`
`
`
`
`Application Ser. No. 60/709,955, entitled “Method And
`
`
`
`
`
`
`
`Apparatus For Two-Factor Remote User Authentication”
`
`
`
`
`
`
`filed on Aug. 20, 2005, by Tara Chand Singhal. The contents
`
`
`
`
`
`
`
`
`
`
`
`of the Provisional Application Ser. No. 60/709,955 are
`
`
`
`
`
`
`
`
`incorporated herein by reference.
`
`
`
`
`
`FIELD OF THE INVENTION
`
`
`
`
`
`
`[0002] The present invention is directed to systems and
`
`
`
`
`
`
`
`
`
`methods for two-factor remote user authentication that does
`
`
`
`
`
`
`
`
`not use a security token of prior art and uses certain features
`
`
`
`
`
`
`
`
`
`
`
`of the telephone network.
`
`
`
`
`
`BACKGROUND
`
`
`
`[0003]
`In the science of remote user authentication, there
`
`
`
`
`
`
`
`
`
`are three different factors by which a remote user to a system
`
`
`
`
`
`
`
`
`
`
`
`such as a server on an Internet or computer network may be
`
`
`
`
`
`
`
`
`
`
`
`
`authenticated. These three factors are: (i) “what you know”,
`
`
`
`
`
`
`
`
`
`which could be a personal identification number, an alpha-
`
`
`
`
`
`
`
`
`numeric password or a phrase; (ii) “what you have”, which
`
`
`
`
`
`
`
`
`
`could be a smart card or a security token in the personal
`
`
`
`
`
`
`
`
`
`
`
`
`possession of a user, that is given to the user by the business
`
`
`
`
`
`
`
`
`
`
`
`
`which owns or manages the network; and (iii) “what you
`
`
`
`
`
`
`
`
`
`
`are”, which is a biometric measure of the user such as
`
`
`
`
`
`
`
`
`
`
`
`fingerprint, retina print, handprint etc. requiring a biometric
`
`
`
`
`
`
`
`sensor.
`
`
`
`[0004] For the “what you have” factor, companies such as
`
`
`
`
`
`
`
`
`
`RSA Data security and ActivCard, to name a few, make
`
`
`
`
`
`
`
`
`
`
`security tokens. These security tokens may be and usually
`
`
`
`
`
`
`
`
`
`are hardware and software devices embedded with logic and
`
`
`
`
`
`
`
`
`
`codes that are personalized for the remote user. Such tokens
`
`
`
`
`
`
`
`
`
`
`may have an interface by which they are read by an interface
`
`
`
`
`
`
`
`
`
`
`
`
`device to the computer network, or they may generate a
`
`
`
`
`
`
`
`
`
`
`code, which is then used by the user to enter in a device or
`
`
`
`
`
`
`
`
`
`
`
`
`
`screen as part of “what you have” factor. Or they may be
`
`
`
`
`
`
`
`
`
`
`
`
`static cards such as an ATM card with a magnetic strip.
`
`
`
`
`
`
`
`
`
`
`
`[0005]
`In each of these factors, each factor has its own
`
`
`
`
`
`
`
`
`
`
`
`issues of reliability and security that are well described in the
`
`
`
`
`
`
`
`
`
`
`
`industry news and publications. The information security
`
`
`
`
`
`
`
`industry considers the use of any one of these factors as a
`
`
`
`
`
`
`
`
`
`
`
`
`one-factor authentication or as a weak form of remote user
`
`
`
`
`
`
`
`
`
`
`authentication and considers the use of any two-factors as a
`
`
`
`
`
`
`
`
`
`
`two-factor authentication or a strong form of remote user
`
`
`
`
`
`
`
`
`
`authentication.
`
`[0006] Where ever a two-factor authentication is used or
`
`
`
`
`
`
`
`
`
`required, the use of “what you know” and “what you have”
`
`
`
`
`
`
`
`
`
`
`
`are the factors of choice that are used. The “what you have”
`
`
`
`
`
`
`
`
`
`
`
`
`factor requires the use of a security token, as described
`
`
`
`
`
`
`
`
`
`above, and that requires the purchase, personalization and
`
`
`
`
`
`
`
`
`distribution of such tokens to the users at a considerable
`
`
`
`
`
`
`
`
`
`
`cost. For this reason, such security tokens are mostly used by
`
`
`
`
`
`
`
`
`
`
`
`employees of a business and are not distributed or given to
`
`
`
`
`
`
`
`
`
`
`the customers of a business. There are many business
`
`
`
`
`
`
`
`
`
`applications where the access to the application over the
`
`
`
`
`
`
`
`
`
`Internet needs to be given to the business’s customers. A
`
`
`
`
`
`
`
`
`
`
`classic example is online access to business data or online
`
`
`
`
`
`
`
`
`
`
`
`TWILIO, INC. EX. 1009
`Page 7
`
`

`
`
`
`US 2007/0042755 A1
`
`
`
`Feb. 22, 2007
`
`
`
`
`
`[0016] FIG. 5 is a version of the block diagram of call
`
`
`
`
`
`
`
`
`
`
`
`
`handling logic of the current
`invention of a two-factor
`
`
`
`
`
`
`
`
`
`authentication system that may be used by a cellular net-
`
`
`
`
`
`
`
`
`
`work.
`
`
`DESCRIPTION
`
`
`
`[0017] This invention discloses two embodiments of a
`
`
`
`
`
`
`
`
`two-factor remote user authentication system. FIGS. 1 and 2
`
`
`
`
`
`
`
`
`describe the system and method of the first embodiment and
`
`
`
`
`
`
`
`
`
`
`FIGS. 3 and 4 describe the system and method of the second
`
`
`
`
`
`
`
`
`
`
`
`embodiment. FIG. 5 describes the features of a call handling
`
`
`
`
`
`
`
`
`
`logic in the cell network that is used by these embodiments.
`
`
`
`
`
`
`
`
`
`
`
`[0018] The embodiment 10A, as in FIG. 1, discloses a
`
`
`
`
`
`
`
`
`
`
`system of remote user authentication to an authentication
`
`
`
`
`
`
`
`
`server 30 that has a telephone interface 32 to the authenti-
`
`
`
`
`
`
`
`
`
`
`cation server 30 that only receives routed calls that have
`
`
`
`
`
`
`
`
`
`originated from a cell phone 12 in a cellular network 40 by
`
`
`
`
`
`
`
`
`
`
`a user 14.
`
`
`
`[0019] The cellular network 40 operated by the cell com-
`
`
`
`
`
`
`
`
`
`panies 20 has a call handling logic function 44 (described
`
`
`
`
`
`
`
`
`
`
`later with reference to FIG. 5), which routes only those calls
`
`
`
`
`
`
`
`
`
`
`
`to the authentication server 30 over the interface 32 that have
`
`
`
`
`
`
`
`
`
`
`
`originated from a cell phone with a subscriber identity
`
`
`
`
`
`
`
`
`
`module (SIM) card 13 and for which the cellular company
`
`
`
`
`
`
`
`
`
`
`maintains an individual subscriber identification data.
`
`
`
`
`
`
`[0020] The authentication server 30 may be adapted with
`
`
`
`
`
`
`
`
`
`an IVR system 33 and may receive routed calls from all the
`
`
`
`
`
`
`
`
`
`
`
`
`companies 20 via a private landline 35. To handle large
`
`
`
`
`
`
`
`
`
`
`volume of calls simultaneously, a VoIP gateway 35A may
`
`
`
`
`
`
`
`
`
`also be used. The authentication server 30 may use an
`
`
`
`
`
`
`
`
`
`
`authentication database 34, which maintains authentication
`
`
`
`
`
`
`data including the caller id data of the users.
`
`
`
`
`
`
`
`
`
`[0021] With reference to FIG. 2, a method of remote user
`
`
`
`
`
`
`
`
`
`
`authentication to a service system on a global computer
`
`
`
`
`
`
`
`
`network has the following steps. Not all the steps may be
`
`
`
`
`
`
`
`
`
`
`needed and used in the order specified herein.
`
`
`
`
`
`
`
`
`[0022] At Step 52, adapting a server to receive only those
`
`
`
`
`
`
`
`
`
`
`incoming telephone calls from a service customer that are
`
`
`
`
`
`
`
`
`
`originated by the customer on a cellular network. This is
`
`
`
`
`
`
`
`
`
`
`done by interfacing the server with a private line corre-
`
`
`
`
`
`
`
`
`
`sponding to a private number managed by a cell network for
`
`
`
`
`
`
`
`
`
`
`receiving cellular network originated calls.
`
`
`
`
`
`[0023] At step 54, forwarding only those calls, by the
`
`
`
`
`
`
`
`
`
`cellular networks, that have been verified by the cell service
`
`
`
`
`
`
`
`
`
`provider having a customer identity verified account with
`
`
`
`
`
`
`
`the cell company.
`
`
`
`[0024] At step 56, matching the caller id of the incoming
`
`
`
`
`
`
`
`
`
`
`call with a caller id that is pre-stored in database 34, as an
`
`
`
`
`
`
`
`
`
`
`
`
`equivalent to a “what you have” factor of remote user
`
`
`
`
`
`
`
`
`
`authentication.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0028] At step 64, providing a service to the service
`
`
`
`
`
`
`
`
`
`
`customer. The service may by delivery of information such
`
`
`
`
`
`
`
`
`
`as, pass code to a system enabling the customer to have a
`
`
`
`
`
`
`
`
`
`
`
`
`service from the service system, or providing an access code
`
`
`
`
`
`
`
`
`
`
`to gain entrance to a facility, or providing an access code to
`
`
`
`
`
`
`
`
`
`
`
`
`gain entry to an automated teller machine, or providing
`
`
`
`
`
`
`
`
`
`access code to gain access to a computer network.
`
`
`
`
`
`
`
`
`
`
`[0029] Alternatively the authentication server coupled
`
`
`
`
`
`with a service system may directly deliver services the
`
`
`
`
`
`
`
`
`service customer is authorized to receive such as, a banking
`
`
`
`
`
`
`
`
`
`transaction via the phone, and other similar services.
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0030] The embodiment 10B described with reference to
`
`
`
`
`
`
`
`
`FIG. 3 uses two different interfaces line #1 and line #2 for
`
`
`
`
`
`
`
`
`
`
`
`
`remote user authentication. One of these interfaces, line #2
`
`
`
`
`
`
`
`
`
`is the one described in embodiment 10A with the help of
`
`
`
`
`
`
`
`
`
`
`
`FIG. 1 and the other interface line #1 is for those calls that
`
`
`
`
`
`
`
`
`
`
`
`
`
`do not originate on a cell network 40.
`
`
`
`
`
`
`
`
`
`
`[0031] The embodiment 10B includes an authentication
`
`
`
`
`
`
`
`server 30 with an authentication database 34 that pre-stores
`
`
`
`
`
`
`
`
`
`data used for authentication, two different telephone line
`
`
`
`
`
`
`
`
`interfaces,
`line # 1 and line #2 that are handled by two
`
`
`
`
`
`
`
`
`
`
`
`
`different authentication processes, and processes A 31 and B
`
`
`
`
`
`
`
`
`
`32 respectively in the authentication server 30. The server 30
`
`
`
`
`
`
`
`
`
`
`also has an interactive voice response (IVR) system 33 that
`
`
`
`
`
`
`
`
`
`
`may be part of server 30 or it may be a separate server.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0032] The authentication process A 31 handles telephone
`
`
`
`
`
`
`
`
`calls from user 14, over line #1 originating from devices and
`
`
`
`
`
`
`
`
`
`
`
`networks and may include phone calls that originate via a
`
`
`
`
`
`
`
`
`
`
`private branch exchange (PBX) or via a world phone that
`
`
`
`
`
`
`
`
`
`
`originates calls via the IP protocol and use the Internet, or
`
`
`
`
`
`
`
`
`
`
`
`from the other parts of a public switched telephone network,
`
`
`
`
`
`
`
`
`
`such as line from a home or business. In all these methods
`
`
`
`
`
`
`
`
`
`
`
`
`or devices or networks, the user 14 may be able to insert or
`
`
`
`
`
`
`
`
`
`
`
`
`
`may be in control of creating or inserting a caller id of
`
`
`
`
`
`
`
`
`
`
`
`
`his/her own choosing. Such originated calls are merely
`
`
`
`
`
`
`
`
`forwarded to the destination by the prior art
`telephone
`
`
`
`
`
`
`
`
`
`company 42 network without verifying the caller id.
`
`
`
`
`
`
`
`
`
`[0033] The authentication process B 32 handles telephone
`
`
`
`
`
`
`
`
`calls originating over a cellular telephone network 40 from
`
`
`
`
`
`
`
`
`user 14 with a cell phone 12 embedded with a SIM card 13
`
`
`
`
`
`
`
`
`
`
`
`via one or more different cellular telephone companies 20
`
`
`
`
`
`
`
`
`
`over a private line #2. The line # 2 is a private line to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`authentication server 30 and handles or delivers only those
`
`
`
`
`
`
`
`
`
`calls to the server 30 that originate over the cellular network
`
`
`
`
`
`
`
`
`
`
`
`40. The private line #2 may be equipped with a VoIP
`
`
`
`
`
`
`
`
`
`
`
`gateway to be able to handle a large volume of simultaneous
`
`
`
`
`
`
`
`
`
`
`calls over line #2.
`
`
`
`
`
`[0034]
`FIG. 4 describes the steps of these two authenti-
`
`
`
`
`
`
`
`
`
`cation processes, the process A 31 and process B 32.
`
`
`
`
`
`
`
`
`
`
`
`[0035]
`In the authentication process A 31, at step 31A,
`
`
`
`
`
`
`
`
`
`prompting by the interactive voice response (IVR) 33 sys-
`
`
`
`
`
`
`
`
`tem of the authentication server 30, for entry of a PIN-1.
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0036] At step 31B, first verifying PIN-1 in the authenti-
`
`
`
`
`
`
`
`
`
`cation database 34, then delivering a voice message of either
`
`
`
`
`
`
`
`
`
`“hang up now” or a message of “an unauthorized call”,
`
`
`
`
`
`
`
`
`
`
`depending upon the verification of PIN-1.
`
`
`
`
`
`
`
`
`[0025] At step 58, annunciating an “unauthorized call”
`
`
`
`
`
`
`
`
`message if not matched, otherwise a greeting message for
`
`
`
`
`
`
`
`
`
`the service.
`
`
`[0026] At step 60, prompting by the IVR 33, for entry of
`
`
`
`
`
`
`
`
`
`
`
`
`PIN as a second factor of “what you know” of remote user
`
`
`
`
`
`
`
`
`
`
`
`
`authentication.
`
`
`[0027] At step 62, verifying the service customer by
`
`
`
`
`
`
`
`
`
`matching the entered personal identification number with
`
`
`
`
`
`
`
`what is stored in the database before authenticating the user.
`
`
`
`
`
`
`
`
`
`
`
`[0037] At step 31C, calling back by the server 30, imme-
`
`
`
`
`
`
`
`
`
`
`diately after step 31B, on a caller id that is present for this
`
`
`
`
`
`
`
`
`
`
`
`PIN-1 in the database 34. The call back to a caller id that is
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`TWILIO, INC. EX. 1009
`Page 8
`
`TWILIO, INC. EX. 1009
`Page 8
`
`

`
`
`
`US 2007/0042755 A1
`
`
`
`Feb. 22, 2007
`
`
`
`
`
`pre-stored, to caller by server 30 serves as an equivalent of
`
`
`
`
`
`
`
`
`
`
`“what you have” factor of authentication.
`
`
`
`
`
`
`
`
`
`[0038] The PIN-1 may be the caller id of the caller, or it
`
`
`
`
`
`
`
`
`
`
`
`
`
`may be the caller id plus a secret number pre-stored in the
`
`
`
`
`
`
`
`
`
`
`
`
`authentication database 34. As an illustration, the database
`
`
`
`
`
`
`
`
`34 may store multiple caller ids, called primary caller id and
`
`
`
`
`
`
`
`
`
`
`
`one or more secondary caller ids. For example, the primary
`
`
`
`
`
`
`
`
`
`
`caller id is of a primary phone, and the secondary caller ids
`
`
`
`
`
`
`
`
`
`
`
`are of other phones to which the user has control or access
`
`
`
`
`
`
`
`
`
`
`
`
`to such as home phone, office phone etc. The PIN-1 may be
`
`
`
`
`
`
`
`
`
`
`
`
`the primary caller id plus the four digits of the secondary
`
`
`
`
`
`
`
`
`
`
`
`caller id. When a PIN-1 is used as described here,
`the
`
`
`
`
`
`
`
`
`
`
`
`primary caller id may be used to identity caller in the
`
`
`
`
`
`
`
`
`
`
`
`database 34, and the four digits of the secondary caller id
`
`
`
`
`
`
`
`
`
`
`
`may be used to identity which of one of the secondary caller
`
`
`
`
`
`
`
`
`
`
`
`
`id numbers the caller should be called back in step 31C.
`
`
`
`
`
`
`
`
`
`
`
`
`[0039] At step 31D, prompting for entry of PIN-2 by the
`
`
`
`
`
`
`
`
`
`
`IVR 33 and then checking the entered PIN-2 in database 34
`
`
`
`
`
`
`
`
`
`
`to authenticate the remote user with a “what you know”
`
`
`
`
`
`
`
`
`
`factor of remote user authentication.
`
`
`
`
`
`
`
`
`
`
`[0040] PIN-2 as described here is a secret number known
`
`
`
`
`
`
`
`
`
`
`only to the caller and the authentication database 34. The last
`
`
`
`
`
`
`
`
`
`
`
`four digits of PIN-1 may also be a secret number like PIN-2,
`
`
`
`
`
`
`
`
`
`
`and PIN-1 and PIN-2 may be the same.
`
`
`
`
`
`
`
`
`
`[0041] Alternatively, at step 31A, the authentication pro-
`
`
`
`
`
`
`
`cess A may advise all callers to call on a cellular network.
`
`
`
`
`
`
`
`
`
`
`Cell phones are used by masses, are available to everyone,
`
`
`
`
`
`
`
`
`
`and are very economical to own.
`
`
`
`
`
`
`
`
`
`
`[0042]
`In the authentication process B 32, the user 14 uses
`
`
`
`
`
`
`
`
`
`
`
`a cell phone 12, and the cellular network 40. Then at step
`
`
`
`
`
`
`
`
`
`
`
`
`32A, the server 30 checks the incoming caller id for a match
`
`
`
`
`
`
`
`
`
`
`
`in the authentication system database 34 as a “what you
`
`
`
`
`
`
`
`
`
`
`have” factor of authentication. If there is no match, deliv-
`
`
`
`
`
`
`
`
`
`ering the message “unauthorized call, please hang-up”.
`
`
`
`
`
`
`Otherwise proceeding with step 32B.
`
`
`
`
`
`
`
`
`[0043] At step 32B, prompt by the interactive voice
`
`
`
`
`
`
`
`
`response system 33 of the server 30, for entry of a PIN and
`
`
`
`
`
`
`
`
`
`
`
`receiving an entry of a PIN.
`
`
`
`
`
`
`
`
`
`[0044] At step 32C, verifying the entered PIN in the
`
`
`
`
`
`
`
`
`
`
`authentication database 34 to authenticate the remote user as
`
`
`
`
`
`
`
`
`
`a “what you know” factor of authentication.
`
`
`
`
`
`
`
`
`[0045]
`In the authentication system 10B, either authenti-
`
`
`
`
`
`
`
`cation process A is used or authentication process B is used
`
`
`
`
`
`
`
`
`
`
`depending upon how the call originated. If the call origi-
`
`
`
`
`
`
`
`
`
`nated on a cell phone, then the SIM card of the cell phone
`
`
`
`
`
`
`
`
`
`
`
`
`maps to the caller id of an individual person. If the call
`
`
`
`
`
`
`
`
`
`
`
`
`originated from a phone other than the cell phone, the caller
`
`
`
`
`
`
`
`
`
`
`id is not reliable as there are many instances where the
`
`
`
`
`
`
`
`
`
`
`
`telephone company does not originate or verify the caller id
`
`
`
`
`
`
`
`
`
`
`but passes through the caller id as it is entered by the caller.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0046]
`System 10B allows the user the flexibility to use
`
`
`
`
`
`
`
`
`
`
`any phone such as cell phone, home phone, or office phone
`
`
`
`
`
`
`
`
`
`
`
`for remote user authentication. Once a caller is authenticated
`
`
`
`
`
`
`
`
`via either process A or B to the server 30, the server then can
`
`
`
`
`
`
`
`
`
`
`
`
`
`deliver any number of services. Such services may include
`
`
`
`
`
`
`
`
`
`creation and delivery of a temporary password for access to
`
`
`
`
`
`
`
`
`
`a system, delivery of other services such as routing the
`
`
`
`
`
`
`
`
`
`
`connection to an online bank telephone network for banking
`
`
`
`
`
`
`
`
`
`transaction via the phone.
`
`
`
`
`
`[0047] Additional services may also be delivered by the
`
`
`
`
`
`
`
`
`
`server 30, which a caller is authorized to receive. Such
`
`
`
`
`
`
`
`
`
`
`services may be from a group that includes, providing an
`
`
`
`
`
`
`
`
`
`
`access code to gain entrance to a facility and providing an
`
`
`
`
`
`
`
`
`
`
`
`access code to gain access to an automated teller machine.
`
`
`
`
`
`
`
`
`
`
`
`[0048]
`FIG. 5 illustrates the call handling logic 44 pro-
`
`
`
`
`
`
`
`
`
`vided by the cell companies 20 of the cellular network 40
`
`
`
`
`
`
`
`
`
`
`
`and an adaptation of that logic 44 of this invention that
`
`
`
`
`
`
`
`
`
`
`
`assures the authentication server 30 the reliability of caller
`
`
`
`
`
`
`
`
`
`id, for the calls that originate on a cell phone 12.
`
`
`
`
`
`
`
`
`
`
`
`[0049] The cell phone 12 has a SIM card 13 and a cell
`
`
`
`
`
`
`
`
`
`
`
`
`phone logic 35 that interfaces to a cell company call han-
`
`
`
`
`
`
`
`
`
`
`dling logic 44 via wireless, using radio frequency waves.
`
`
`
`
`
`
`
`
`
`
`
`
`[0050] The logic 44 may have three different databases A,
`
`
`
`
`
`
`
`
`
`
`B and C to facilitate logic 44. The database A may maintain
`
`
`
`
`
`
`
`
`
`
`
`
`data fields such as account number 70, account status 72,
`
`
`
`
`
`
`
`
`
`
`customer class 74, SIM id 175, encryption key 76, caller id
`
`
`
`
`
`
`
`
`
`
`
`77, and SIM id 278. The database B may maintain subscriber
`
`
`
`
`
`
`
`
`
`
`
`personal data such as account number 70, social security
`
`
`
`
`
`
`
`
`
`number 80, driver license 82, name 82, address 84, and date
`
`
`
`
`
`
`
`
`
`
`
`of birth 86. The database C may maintain data such as
`
`
`
`
`
`
`
`
`
`
`
`account number 70, destination number 90, destination tag
`
`
`
`
`
`
`
`
`92, time and date 94 and geographic cell at time of call
`
`
`
`
`
`
`
`
`
`
`
`
`origination 96.
`
`
`
`[0051] The logic 44, when it receives a request for con-
`
`
`
`
`
`
`
`
`
`
`nection from a cell phone 12, identifies the caller via SIM
`
`
`
`
`
`
`
`
`
`
`id175 in its database A. Then the logic 44 finds the corre-
`
`
`
`
`
`
`
`
`
`
`
`sponding encryption key 76 of SIM and decrypts a second-
`
`
`
`
`
`
`
`
`
`ary SIM id 278 as the serial number SIM Id 278 is encrypted.
`
`
`
`
`
`
`
`
`
`
`
`
`It is verified in the database A after decryption using the key
`
`
`
`
`
`
`
`
`
`
`76.
`
`
`
`
`
`
`
`[0052] The logic 44 having verified the origin of the call
`
`
`
`
`
`
`
`
`
`
`
`from the SIM card 13, as described above, then checks the
`
`
`
`
`
`
`
`
`
`
`
`account status 72 by account number 70. The account status
`
`
`
`
`
`
`
`
`
`
`72 enables the phone company to restrict the routing of the
`
`
`
`
`
`
`
`
`
`
`
`call
`to the destination. For example,
`if the payment
`is
`
`
`
`
`
`
`
`
`
`
`overdue or the minutes on a prepaid phone have expired, or
`
`
`
`
`
`
`
`
`
`
`call is to an outside area, the call routing to the destination
`
`
`
`
`
`
`
`
`
`
`
`
`is disabled and a message is delivered to the caller about the
`
`
`
`
`
`
`
`
`
`
`
`status of the account.
`
`
`
`
`
`[0053] The logic 44 also creates a log of all calls as shown
`
`
`
`
`
`
`
`
`
`
`
`
`in database C. The log may include, destination tags 92,
`
`
`
`
`
`
`
`
`
`
`b