`
`
`(19) United States
`
`
`
`
`
`
`
`
`
`(12) Patent Application Publication (10) Pub. No.: US 2011/0219230 A1
`
`
`
`
`
`Oberheide et al.
`
`
`(43) Pub. Date: Sep. 8, 2011
`
`
`
`US 20110219230A1
`
`
`
`
`(54) SYSTEM AND METHOD OF NOTIFYING
`
`
`
`MOBILE DEVICES TO COlVIPLETE
`
`
`
`TRANSACTIONS
`
`
`
`
`
`(76)
`
`
`
`Inventors:
`
`
`
`(21)
`
`(22)
`
`
`
`
`
`
`
`Appl. No.:
`
`Filed:
`
`
`
`Jon Oberheide, AnnArbor, MI
`
`
`
`
`(US); Douglas Song, Ann Arbor,
`
`
`
`
`
`MI (US); Adam Goodman, Ann
`
`
`
`
`
`Arbor, MI (US)
`
`
`13/039,209
`
`Mar. 2, 2011
`
`
`
`
`(60)
`
`
`
`Related U.S. Application Data
`
`
`
`
`Provisional application No. 61/309,885, filed on Mar.
`
`
`
`
`
`3, 2010.
`
`
`
`
`
`Publication Classification
`
`
`
`
`
`
`(51)
`
`Int. Cl.
`
`
`(2006.01)
`H04L 9/32
`
`
`
`(52) U.S. Cl. ........................................................ 713/168
`
`
`
`
`
`
`
`(57)
`
`ABSTRACT
`
`
`
`A method including registering an authority device for an
`
`
`
`
`
`
`
`account on an auth platform; receiving transaction request
`
`
`
`
`
`
`from an initiator to the auth platform; messaging the authority
`
`
`
`
`
`
`
`device with the transaction request; receiving an authority
`
`
`
`
`
`
`
`agent response from the authority device to the auth platform;
`
`
`
`
`
`
`
`
`
`if the authority agent response confirms the transaction, com-
`
`
`
`
`
`
`
`
`
`municating a confirmed transaction to the initiator; and ifthe
`
`
`
`
`
`
`
`authority agent response denies the transaction, communicat-
`
`
`
`
`
`
`
`ing a denied transaction to the initiator.
`
`
`
`
`
`
`TX Effiéfi‘i‘is‘t‘FE
`
`
`—’° REQUESTMG
`
`
`
`3m EARTY
`
`
`
`
`
`
`
`NEEA‘TSER
`
`
`
`
`
`
`
`
`
`
`
`“m
`
`,_ “my:
`
`
`
`
`
`.
`
`
`
`
`_
`
`
`
`
`
`
`
`
`“(REGEEEE
`
`\QEVECE
`
`
`3 $110
`
`g
`
`
`iff“
`
`
`
`REQUEST
`AMTHQRSEERON XX;
`
`
`
`AUEHDREEATEGN
`
`
`
`
`mam-m:- .raqniree
`{KEN-PERM TX
`
`
`
`
`
`
`3180
`authorization from an
`WEE 2 out at 3%
`
`
`
`
`
`authofitative agent
`
`
`mié‘totfity device
`
`mafirmatzéme
`
`
`REGESEER SEVERE SE1 “t E}
`
`SE 56}
`
`“MMAMW~\““w
`
`“x,
`"J- "J-I
`/‘g.1,
`
`
`‘\
`
`
`
`
`PUSH TX EESEAEE ‘1
`
`
`3:30
`Aim-team
`@3on
`
`
`so? or: mm:
`,
`.
`
`
`
`AME:
`_
`.
`
`
`
`swam ta
`EMTFDHM
`USER #1
`
`
`
`Ema
`-»
`
`
`
`
`.9"
`emu ’ PUSH 23E
`
`
`mmat: St 10 _/ WSEAEEx
`
`
`
`Ema”
`[@033 T):
`
`-°
`
`WWWW
`:wHFtEM TX
`513%
`2
`MES-EASE
`
`
`
`
`
`BEVi’C E
`31 4%
`
`
`{E QEFAUTHZ
`UEEEEE
`
`
`
`
`AEEHDEEY
`BEWCE
`
`GE GE AMTHZ:
`
`
`USEEEE
`
`
`
`Page 1 of 10
`
`GOOGLE EXHIBIT 1006
`
`Page 1 of 10
`
`GOOGLE EXHIBIT 1006
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Sep. 8, 2011 Sheet 1 0f 5
`
`
`
`US 2011/0219230 A1
`
`
`
`EREQU EST EN G
`
`
`3:33" PRHTV
`
`
`REQUEST
`ALETHE‘FTCQTDN
`
`3533
`
`
`
`
`
`
`
`z
`s
`
`l
`
`333,33
`a :1:va
`
`01::
`
`
`AUTHENTéQ
`
`SENT—THE T}: *—~’
`USER
`
`
`— $33
`
`
`
`
`
`
`
`
`
`
`GHNEEFTM T332
`31:53
`
`
`
`
`REQTSTER DEV'EEE 31m
`“a.— ‘7“
`"‘“‘"“‘-I»~;..
`A
`,.
`,«-'-““"
`M”
`
`m"
`* “
`.-
`
`
`
`
`ARK:
`g
`
`
`
`
`
`
`
`
`* 313.33 *3: MESSASE a}
`
`3‘5 3T}
` 31L} TH
`
`
`PLM'FCBFTEME
`
`
`W TTJEATGFT
`
`2
`
`:
`
`
`LEGTT TX:
`
`
`Wilma? 5:3 game
`
`as fiahama U53
`
`
`
`
`
`i i
`
`’
`
`
`
`
`‘
`
`
`
`
`
`
`
`Page 2 of 10
`
`Page 2 of 10
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Sep. 8, 2011 Sheet 2 0f 5
`
`
`
`US 2011/0219230 A1
`
`\5
`5"
`.,
`5.
`5
`“
`5X 5555553355§
`§
`;
`5
`\m
`WW}:
`5 WWW 5
`;,
`\“x
`,
`§§5555525555555§
`
`"5
`
`55555 55555555"?
`- nw...5‘n‘\‘~1.5‘5‘\\\““‘w.““‘“““““w\
`
`”yum;
`'-v»»»m»»»
`
`
`555.55‘:; 555155555555
`
`
`
`
`
`
`$55555
`
`55"555:"5§5155.5$ 555.:
`
`
`
`
`555555555555155- 5555w55555§
`
`
`
`//¢g‘
`
`51.555555555555555555
`///
`
`
`55555555555555 5.55555
`«Wm
`‘-
`s \
`
`5X\x3
`
`fl.
`
`W 5555555555E55 55:55535 5:55
`
`
`
`
`5
`
`533$ “55* \X
`
`355"“555.5
`
`
`
`5-»»»»»»»m;»»
`55555555555555555555555555555555555555555
`,
`
`
`:
`5
`'
`-.
`‘x .4?
`' Mum .
`“NW“
`“-\\\\
`N“
`
`5:555? 55% .5? 55:5 55 55:55 MW
`5
`“45-“
`\'
`.6“
`r
`o“
`‘55
`5.
`5“
`5
`‘9\\\\\\\\\\\\\\\~\\\\\\\\\\\\55M“5..“5555555
`
`
`~
`
`\
`
`.
`
`\N
`
`\x._ .\
`
`.
`-,
`
`_
`
`_
`
`V
`
`5
`
`-.
`
`_
`
`\,
`
`_
`
`,
`
`{$5535
`
`555555555
`{3%.
`5 5 .55.;
`55:5"
`5
`)‘
`
`55555555
`..
`
`.
`
`.
`
`5 5
`
`\,
`5» \\
`\
`5555 :55
`.
`"5:,
`-\
`,
`
`53553 535“
`5 5:" 5:55.
`\ .u555u.5.5“55“....wuumuuuu““ ut,
`
`i
`
`;;;;t
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 3 of 10
`
`Page 3 of 10
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Sep. 8, 2011 Sheet 3 0f 5
`
`
`
`US 2011/0219230 A1
`
`
`
`
`11/
`
`EEE‘E'EIEE EE‘E'EEEE EEE:
`
`*EEEEE‘EE
`EEEEEEEEEEEE‘ EEEEE EEN‘“ EEEE
`
`EE‘E‘EEEEEEEEE EEEEEE
`
`\
`
`
`“EEE EEEEEEEE“
`“““““““““““““““““““““““\
`
`
`
`
`
`
`
`EEEEEEEEEE
`
`
`
`EEEEEEEEZEEEEEEEEEEEEE
`
`ESE 323i
`
`
`
`
`
`
`
`EEEEE‘E‘E EX
`
`SE E3?
`
` E‘EEEEESE‘EEEE EIEEEEEEE‘ EEEEEE
`
`I
`
`
`
`
`
`0z2,.:.:mmz.¢.:2.2.r.z,.».:.:m
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`\ \‘Nx.
`
`
`
`:
`_
`_
`
`EEEEEEEE“
`:3 $§fE{\ E9:
`
`
`QE: 55‘sTEN;
`EEEEEEEE
`
`
`
`
`
`
`
`
`
`EEEEEE EEE EEEE:‘EEEEEEC‘ E:
`E
`//
`:3E3EE
`
`£33?“
`9*EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE
`E. 3
`{13%EEWEECEREEE
`EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE,1“;
`QENV “EX
`EEMM
`
`
`
`E‘EEEEEEEEE
`
`Page 4 of 10
`
`Page 4 of 10
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Sep. 8, 2011 Sheet 4 0f 5
`
`
`
`US 2011/0219230 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`TH TNTTEA‘TE 1‘
`
`l‘“ REQUESTING
`
`
`:ET‘KT FEET?
`
`
`
`
`
`REESE E 5:?
`
`
`ALT? HER EEEATTGN
`
`31 20
`
`
`
`
`SQNFT RM T312
`
`
`
`AMTHENTTCATTGN and
`
`
`AUTHGETEATIGN TX:
`
`
`
`
`Ara auThEfiTTmT-ed Tméfiaim‘
`
`
`
`:raquiims amifimifimam
`
`
`
`Tram at“: anflmfiiafiva
`
`
`
`
`a":-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`HETTTST-E
`
`“A\BrerWM.‘
`Nu,MN
`
`\
`
`x
`
`
`
` AUTHGRITT’
`
`
`FUSE-:1 TX MESSAGE 1“
`'
`
`EEVTCE
`
`RUTH
`
`
`
`0T:
`PLATFGERM
`
`
`
`AUTHENTTS
`
`
`
`
`
`{:{TTTFTRTT m
`
`USER
`
`
`Ems}
`
`REETTETTETTT“
`
`flEVT{:2E g?
`
`T
`31 T E}
`‘. .iww
`E f\
`'
`X
`
`
` PTJSH TX
`
`
`ALLETW TE
`
`ST 413}
`
`T
`
`
`
`
`
`
`
`RUTHCTEFTEEATTST‘T
`MESSAGE
`33:30
`,«flx
`
`
`
`
`
`
`MA.
`
`V
`
`..
`
`T
`
`
`
`.
`mmmm
`
`$va
`
`' {3? m: ALTTHE.
`
`USER
`
`
`,AETTHSRTTATNE RGET‘TT
`
`FTGLTRETT
`
`Page 5 of 10
`
`Page 5 of 10
`
`

`

`{MR
`
`
`
`:1
`1m 11111111113
`1
`
`1A —n~ ngmamm
`\1
`s“
`
`
`
`
`
`
`
`
`
`iNEFiATflR
`
`
`
`AMTHQREEMéGzN E3111;
`
`
`1111111111131- 1113:3123 ms
`
`
`authas‘f‘imfifim imam am
`
`
`
`autharfi'iaxstva 1119;631:111
`
`
`
`REQUEST
`
`
`
`
`
`
`
`
`
`REGESYER 35.111135 31113
`
`
`
`31113 $23133???
`
`
`
`flUTHi’JREATEEN
`
`83 213
`
`
`
`
`
`Patent Application Publication
`
`
`
`
`
`
`Sep. 8, 2011 Sheet 5 0f 5
`
`
`
`US 2011/0219230 A1
`
`
`
`
`GENES RM TX
`
`
`
`w§i§1 ‘53 0.111131: 3
`
`
`
`animal? diwise
`wafirmatims
`
`,
`‘
`
`$1511
`
`
`"
`
`
`
`
`
`,
`
`
`
`
`
`
`
`'
`
`
`
`
`
`
`
`
`
`
`
`v
`
`
`
`
`
`
`yr
`
`
`
`..
`
`MTHQSET?
`
`
`
`SEW-C:
`
`
`1:11; 1:121: AWHE
`
`
`
`
`
`‘1fiéEGfiS‘TéER
`
`\SEVEEE
`
`
`a $1111
`
`
`.~
`
`,y
`
`
`13141311 111
`MESSME
`
`3:1 5m
`
`-,
`
`»
`
`
`
`131.1311 “X wagsmg 11
`
`
`
`
`
`11131111131111
`
`81:31:}
`
`$111132
`
`
`
`{31: SF 11.131112.
`
`
`AUTH
`
`
`
`133.511 :11
`
`
`{EQNFERM TX
`
`PLAT§QR $113?
`
`
`
`
` 5‘: {$3 “Wm-pr
`
`
`r. -"‘
`5“
`
`_ g.-
`f
`. .¢
`
`
`
`
`
`
`1353131511
`ffifsmfi
`1%"
`
`
`{331$qu 31112-11!” Mfiféfififiéfi
`
`
`
`Pf:
`:ef‘gvé‘i‘ 30,33};
`.a-
`USER 1112 —
`Maw-111m
`
`
`
`
`314g}
`
`
`
`mNNNWWW‘
`
`E} E V K: E
`
`HEERKE
`
`
`
`
`
`
`
`
`Page 6 of 10
`
`Page 6 of 10
`
`

`

`US 2011/0219230 A1
`
`
`
`
`Sep. 8, 2011
`
`
`
`
`
`
`
`
`
`SYSTEM AND METHOD OF NOTIFYING
`
`
`MOBILE DEVICES TO COMPLETE
`
`
`TRANSACTIONS
`
`
`
`
`
`CROSS—R A FER 4NC A TO RELATED
`
`
`APPLICATIONS
`
`[0001] This application claims the benefit of US Provi-
`
`
`
`
`
`
`
`
`sional Application No. 61/309,885, filed 3 Mar. 2010, titled
`
`
`
`
`
`
`
`
`
`“SYSTEM AND METHOD OF USING PUSH-BASED
`
`
`
`
`
`CHALLENGES ON MOBILE DEVICES FOR AUTHEN-
`
`
`
`
`
`TICATION OR AUTHORIZATION”, which is incorporated
`
`
`
`
`in its entirety by this reference.
`
`
`
`
`
`TECHNICAL FIELD
`
`
`[0002] This invention relates generally to the digital secu-
`
`
`
`
`
`
`
`
`rity services field, and more specifically to a new and useful
`
`
`
`
`
`
`
`
`
`system and method of notifying mobile devices to complete
`
`
`
`
`
`
`
`transactions in the digital security field.
`
`
`
`
`
`BACKGROUND
`
`BRIEF DESCRIPTION OF THE FIGURES
`
`
`
`
`[0003] Fraudulent transactions, whether executed online
`
`
`
`
`
`
`by a malicious party who has stolen a user’s online banking
`
`
`
`
`
`
`
`
`password or offline by a malicious party entering a restricted
`
`
`
`
`
`
`building using a forged identification card, are indicators of a
`
`
`
`
`
`
`
`lack of authentication in present day security systems. Simi—
`
`
`
`
`
`
`
`larly, authorization (permission to complete a transaction) is
`
`
`
`
`
`limited without a strong notion of authentication. Tradition-
`
`
`
`
`
`
`ally, techniques for authentication are classified into several
`
`
`
`
`
`
`
`
`broad classes such as “what you know” (e.g., passwords or a
`
`
`
`
`
`
`
`
`social security number), “what you have” (e.g., physical pos-
`
`
`
`
`
`
`
`
`
`sessions such as ATM cards or a security dongle), and “what
`
`
`
`
`
`
`
`
`you are” (e.g., biometric information such as a finger print or
`
`
`
`
`
`
`
`DNA). However, many of these solutions are burdensome to
`
`
`
`
`
`
`
`users, requiring the user to remember information or carry
`
`
`
`
`
`
`
`extra devices to complete a transaction. Thus, there is a need
`
`
`
`
`
`
`
`in the digital security services field to create a new and useful
`
`
`
`
`
`
`
`
`
`
`system and method of notifying mobile devices to complete
`
`
`
`
`
`
`
`transactions. This invention provides such a new and useful
`
`
`
`
`
`
`
`
`system and method.
`
`
`
`
`
`
`
`
`FIGS. 1 and 2 are schematic representations of a
`[0004]
`
`
`
`
`
`
`method of a preferred embodiment for authenticating a trans-
`
`
`
`
`
`action;
`
`FIG. 3 is a schematic representation 0 a method of
`[0005]
`
`
`
`
`
`a preferred embodiment for authorizing a transaction;
`
`
`
`
`
`[0006]
`FIG. 4 is a schematic representation 0 'a method of
`
`
`
`
`
`a preferred embodiment for authenticating and authorizing a
`
`
`
`
`
`
`transaction; and
`
`
`FIG. 5 is a schematic representation 0 a method of
`[0007]
`
`
`
`
`
`
`
`
`
`
`
`
`
`DESCRIPTION OF lHE PREF ARR 4D
`
`
`EMBODIMENTS
`
`a preferred embodiment with a plurality of authority devices.
`
`
`
`
`[0008] The following description of the oreferred embodi-
`
`
`
`
`
`
`ments of the invention is not intended to limit the invention to
`
`
`
`
`
`
`
`these preferred embodiments, but rather to enable any person
`
`
`
`
`
`
`
`
`skilled in the art to make and use this invention.
`
`
`
`
`
`
`
`
`[0009] As shown in FIGS. 1-3, the method ofthe preferred
`
`
`
`
`
`
`
`
`embodiments for notifying mobile devices to complete trans-
`
`
`
`
`
`
`actions includes registering an authority device for an account
`
`
`
`
`
`
`
`011 an auth platform S110, receiving a transaction request
`
`
`
`
`
`
`
`
`
`
`Page 7 of 10
`
`from an initiator to the auth platform S120, messaging the
`
`
`
`
`
`
`
`
`authority device with the transaction request S130, receiving
`
`
`
`
`
`
`
`
`an authority agent response from the authority device to the
`
`
`
`
`
`
`
`
`
`auth platfonn 8140, if the authority agent response confirms
`
`
`
`
`
`
`
`
`the transaction, communicating a confirmed transaction to
`
`
`
`
`
`the initiator S150, and if the authority agent response denies
`
`
`
`
`
`
`
`
`
`the transaction, communicating a denied transaction to the
`
`
`
`
`
`
`initiator S152. The method functions to use push-based chal-
`
`
`
`
`
`
`
`
`lenges on mobile device for the authentication and/or autho-
`
`
`
`
`
`
`
`
`rization ofparties involved in a transaction. The method func—
`
`
`
`
`
`
`
`tions to utilize non-intrusive techniques while providing
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`improved security. The pushed messages preferably alert a
`user to the transaction request in real -time such that a decision
`
`
`
`
`
`
`
`
`of confirmation or denial of a transaction can be communi—
`
`
`
`
`
`
`cated to a requesting party with minimal time lag (e.g., pref-
`
`
`
`
`
`
`
`
`
`erably less than a minute, and more preferably less than 10
`
`
`
`
`
`
`
`
`
`
`seconds). The method may be employed as standalone trans-
`
`
`
`
`
`
`
`action validation or incorporated into a multifactor system.
`
`
`
`
`
`
`The method may be used in application such as web-based
`
`
`
`
`
`
`
`applications, remote access credentials, privileged account
`
`
`
`
`
`
`
`
`
`
`
`management, financial transactions, password recovery/reset
`mechanisms, physical access control, Automatic Teller
`
`
`
`
`
`
`Machine (ATM) withdrawals, domain name transfers, online
`
`
`
`
`
`
`
`or ofiiine transactions, building access security, or any suit-
`
`
`
`
`
`
`
`
`able application requiring authentication and/or authoriza—
`
`
`
`
`
`
`tion.
`
`[001 0] The method is preferably performed by an auth plat—
`
`
`
`
`
`
`
`form that communicates with a client of an initiating agent
`
`
`
`
`
`
`
`and an authority device associated with an account ofthe auth
`
`
`
`
`
`
`
`platform. The auth platform is preferably an intemet acces-
`
`
`
`
`
`
`
`sible server that may be hosted on a distributed computing
`
`
`
`
`
`
`
`system, but may be hosted on any suitable platform. The
`
`
`
`
`
`
`
`
`initiating agent is typically a user or process that initiates a
`
`
`
`
`
`
`
`transaction. The requested transaction is preferably initiated
`
`
`
`
`
`
`by the initiating agent through a client such as a website,
`
`
`
`
`
`
`
`
`application, or device (e.g., an ATM machine). For authenti-
`
`
`
`
`
`
`
`cation, the initiator agent may be a legitimate party or a
`
`
`
`
`
`
`
`
`malicious party attempting to fraudulently impersonate the
`
`
`
`
`
`
`legitimate party. For authorization, the initiating agent may be
`
`
`
`
`
`
`
`
`a legitimate authenticated party but may require approval
`
`
`
`
`
`
`
`
`from other parties to perform the action of the transaction.
`
`
`
`
`
`
`
`The authority device is preferably a device associated with an
`
`
`
`
`
`
`
`authentic agent that is a user or process that is legitimately
`
`
`
`
`
`
`
`authenticated or authorized to execute transactions. Even if a
`
`
`
`
`
`malicious entity were attempting to impersonate a user or
`
`
`
`
`
`
`authentic agent through stolen credentials or other means,
`
`
`
`
`
`
`
`
`they wouldiideallyilack the authority device to complete a
`
`
`
`
`
`
`
`transaction.
`
`Step 8110, which includes registering an authority
`[0011]
`
`
`
`
`
`
`
`device for an account on an auth platform, functions to iden-
`
`
`
`
`
`
`
`tify a device of an agent that is permitted to authenticate or
`
`
`
`
`
`
`authorize transactions. The registration preferably occurs
`
`
`
`
`
`
`prior to a transaction request, and is preferably performed
`
`
`
`
`
`
`during an initial setup of an account on the auth platform.
`
`
`
`
`
`
`
`During the setup authentication and/or authorization rules are
`
`
`
`
`
`
`
`preferably set. The authority device is preferably a mobile
`
`
`
`
`
`
`
`computing device possessed by an authentic user or an autho-
`
`
`
`
`
`
`
`rized agent. The mobile device is preferably a mobile phone,
`
`
`
`
`
`
`
`
`tablet computer, smartphone, personal data assistant (PDA),
`
`
`
`
`
`
`
`personal computer, and/or any suitable computing device.
`
`
`
`
`
`
`
`The authority device preferably has access to a network over
`
`
`
`
`
`
`
`
`which communication with the auth platform is performed,
`
`
`
`
`
`
`
`such as a WiFi network, local—area network, telephony net—
`
`
`
`
`
`
`
`work, short message service (SMS) network, multimedia
`
`
`
`
`
`
`
`
`Page 7 of 10
`
`

`

`US 2011/0219230 A1
`
`
`
`
`Sep. 8, 2011
`
`
`
`messaging service (MMS), or any suitable network. A plural-
`
`
`
`
`
`
`
`ity of devices may additionally be registered, as shown in
`
`
`
`
`
`
`
`FIG. 5. A second authority device may provide a backup
`
`
`
`
`
`
`
`communication point if a primary authority device does not
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`respond. For example, after attempting to contact a primary
`
`
`
`
`
`
`
`
`authority device, the auth platform may message a secondary
`authority device for authentication or authorization. Or, alter-
`
`
`
`
`
`
`
`natively, a threshold of two confirmations may need to be
`
`
`
`
`
`
`
`received to authorize a transaction. Additionally, a first
`
`
`
`
`
`
`
`
`
`
`
`
`
`authority device may be registered for authenticating the
`identity of an agent of the transaction request, and a second
`
`
`
`
`
`
`authority device may be registered for authorizing an action
`
`
`
`
`
`
`
`of an agent such that authentication and authorization may
`
`
`
`
`
`
`
`
`both be enabled, as shown in FIG. 4.
`
`
`
`
`[0012]
`Step S120, which includes receiving a transaction
`
`
`
`
`
`
`
`request from an initiator to the auth platfonn, fimctions to
`
`
`
`
`
`
`
`initiate a transaction. The transaction is preferably any event,
`
`
`
`
`
`
`
`transfer, action, or activity that requires authentication and/or
`
`
`
`
`
`
`
`authorization of an involved party. Exemplary transactions
`
`
`
`
`
`may include logging into a website, application or computer
`
`
`
`
`
`
`
`system; a user withdrawing money from an ATM; a user
`
`
`
`
`
`
`
`
`
`
`
`
`
`initiating a “forgotten password” procedure; a user attempt-
`ing to enter a restricted area of a building or environment; a
`
`
`
`
`
`
`payment exchange between two entities; a user attempting to
`
`
`
`
`
`
`
`perform a restricted action in a computer system; and/or any
`
`
`
`
`
`
`
`suitable application requiring authentication and/or authori—
`
`
`
`
`
`
`zation. Authentication preferably includes validating the
`
`
`
`
`
`
`identity ofat least one involved party relevant to a transaction.
`
`
`
`
`
`
`
`Authorization preferably includes validating authority or per-
`
`
`
`
`
`
`mission of an entity to execute a transaction. For authentica-
`
`
`
`
`
`
`tion, the authority device preferably belongs to the authentic
`
`
`
`
`
`
`
`
`user for self-approval of transactions. For authorization, the
`
`
`
`
`
`
`
`authority device preferably belongs to an authoritative user
`
`
`
`
`
`
`that is preferably in charge ofregulating transactions of a user
`
`
`
`
`
`
`involved in the transaction. The transactions are preferably
`
`
`
`
`
`
`
`initiated in an online environment, where parties may be
`
`
`
`
`
`
`
`
`communicating using a computing device or public/private
`
`
`
`
`
`network, but the transactions may alternatively occur offline
`
`
`
`
`
`
`
`
`where parties may be interacting in the real world. The user or
`
`
`
`
`
`
`
`
`
`device initiating the transaction is ideally a legitimate party,
`
`
`
`
`
`
`
`as shown in FIG. 1, but in the situations where a malicious
`
`
`
`
`
`
`
`
`party initiates or participates in the transaction, the method is
`
`
`
`
`
`
`
`preferably able to properly identify such a situation, as shown
`
`
`
`
`
`
`
`in FIG. 2. After a malicious transaction is prevented the
`
`
`
`
`
`
`
`approval rules for a transaction may be dynamically altered to
`
`
`
`
`
`
`
`increase security. The transaction is preferably sent from a
`
`
`
`
`
`
`
`requesting entity such as a website, application, or device.
`
`
`
`
`
`
`The requesting entity is typically a system in communication
`
`
`
`
`
`
`with the auth platform. An application programming inter-
`
`
`
`
`
`
`
`face (API) or any suitable protocol is preferably used to
`
`
`
`
`
`
`
`communicate between the requesting entity and the auth plat-
`
`
`
`
`
`
`
`
`form. In one variation, the communication sent from the
`
`
`
`
`
`
`
`
`requester is encrypted and the authority device preferably
`
`
`
`
`
`
`
`decrypts the infomiation. This variation preferably prevents
`
`
`
`
`
`
`
`the auth platform from inspecting or accessing the commu-
`
`
`
`
`
`
`
`
`nicated infomiation which may be applicable when a third
`
`
`
`
`
`
`
`party is passing sensitive information through the auth plat—
`
`
`
`
`
`
`
`
`form. As an alternative variation, the communication between
`
`
`
`
`
`
`the requester and the auth platform is preferably encrypted or
`
`
`
`
`
`
`
`otherwise cryptographically protected and communication
`
`
`
`
`
`between the auth platform and the authority device verifies
`
`
`
`
`
`
`
`
`
`that the communication is from the authority device. Any
`
`
`
`
`
`
`
`
`
`
`
`
`suitable steps may be taken to secure the communication
`
`
`
`
`
`
`between the requesting entity,
`the auth platform and the
`
`
`
`
`
`
`
`
`authority device.
`
`
`Step $130, which includes messaging the authority
`[0013]
`
`
`
`
`
`
`
`
`device with the transaction request, functions to push a noti-
`
`
`
`
`
`
`
`
`fication to a secondary device for authentication or authori-
`
`
`
`
`
`
`zation. The authority device is preferably a device only the
`
`
`
`
`
`
`
`
`authentic user or an authorized user would possess. The mes-
`
`
`
`
`
`
`
`
`
`sage is preferably sent through a communication channel
`
`
`
`
`
`
`between the authority device and the auth platform. The corn-
`
`
`
`
`
`
`
`
`munication channel is preferably a push notification service
`
`
`
`
`
`
`provided through the authority device. The communication
`
`
`
`
`
`
`
`channel may alternatively be a short message system SMS
`
`
`
`
`
`
`
`network, email, a instant message, an in-app notification sys-
`
`
`
`
`
`
`
`tem, web based websoeket or publication—subscription chan-
`
`
`
`
`
`
`nels, image based transmission of transaction information
`
`
`
`
`
`
`
`such as through QR-codes captured by a camera, or any
`
`
`
`
`
`
`
`suitable technique for messaging the device. The messages
`
`
`
`
`
`
`
`
`preferably appear on the authority device or create an alert in
`
`
`
`
`
`
`
`substantially real—time (e. g., in less than 5 minutes). The
`
`
`
`
`
`
`
`
`realtime aspect of the messaging functions to enable authen-
`
`
`
`
`
`
`tication and authorization at the time ofthe transa ction, In one
`
`
`
`
`
`
`
`
`variation, tracking a registered authority device may addition-
`
`
`
`
`
`
`
`ally be performed by the auth platform. For example, in a
`
`
`
`
`
`
`
`
`persistent TCP/IP connection model, a mobile device moving
`
`
`
`
`
`
`
`from a service provider data network to a WiFi network may
`
`
`
`
`
`
`
`
`change IP addresses and therefore initiate a new persistent
`
`
`
`
`
`
`
`connection. Upon receiving that new connection and an iden-
`
`
`
`
`
`
`
`
`tifier of the mobile device, the auth platform preferably
`
`
`
`
`
`
`
`
`
`updates the state of the device for the account associated with
`
`
`
`
`
`
`
`
`
`that device. Then, the proper connection is preferably used for
`
`
`
`
`
`
`
`
`messaging the authority device. Some communication chan-
`
`
`
`
`
`
`
`nels may have limited throughput and lack the capability to
`
`
`
`
`
`
`
`
`
`present a full message from the auth platform. For example,
`
`
`
`
`
`
`
`
`
`SMS messages have a 160 character limit. An initial message
`
`
`
`
`
`
`
`
`may include a unique identifier, which can then be used to
`
`
`
`
`
`
`
`
`retrieve a full message. For example, the SMS message may
`
`
`
`
`
`
`
`
`
`include a URL link or code which can be used to retrieve a full
`
`
`
`
`
`
`
`
`message from an application or website. The full message
`
`
`
`
`
`
`
`may provide additional information and options for a trans-
`
`
`
`
`
`
`
`
`action response. The messages transmitted over the commu-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`nication channel may additionally be cryptographically
`signed and encrypted using an established setup between the
`
`
`
`
`
`
`
`
`auth device and the auth platform. Additionally the messages
`
`
`
`
`
`
`
`
`preferably include transaction information (i.e., metadata).
`
`
`
`
`
`
`The transaction information may include account or entity
`
`
`
`
`
`
`
`name, transaction details, location and time oftransaction, IP
`
`
`
`
`
`
`
`address ofinitiating host, geolocation ofthe IP address or any
`
`
`
`
`
`
`suitable information or any suitable data on the transaction. In
`
`
`
`
`
`
`one example an online bank transfer may have a message with
`
`
`
`
`
`
`
`
`
`transaction information including payer, payee, account
`
`
`
`
`
`
`numbers, transfer amotmt, and transaction date and time.
`
`
`
`
`
`
`
`
`Step $140, which includes receiving an authority
`[0014]
`
`
`
`
`
`
`
`a gent response from the authority device to the auth platform,
`
`
`
`
`
`
`
`
`functions to process a response from an authentic user or
`
`
`
`
`
`
`authorized user. The response preferably confirms or denies a
`
`
`
`
`
`
`
`transaction. The confirmation and denial of a transaction may
`
`
`
`
`
`
`
`additionally be set to indicate any suitable form of response.
`
`
`
`
`
`
`Preferably, the initial options are to accept or reject a trans—
`
`
`
`
`
`
`
`
`action. Additionally, if a transaction is rejected a reason for
`
`
`
`
`
`
`rejection may be included such as “canceled because of
`
`
`
`
`
`
`
`change of mind” or “possible malevolent transaction”. Other
`
`
`
`
`
`
`variations may include a variety of options that may change
`
`
`
`
`
`
`
`
`based on the application. The available fonns of responses
`
`
`
`
`
`
`
`
`Page 8 of 10
`
`Page 8 of 10
`
`

`

`US 2011/0219230 A1
`
`
`
`
`Sep. 8, 2011
`
`
`
`may be included in the message information. Other forms of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`responses may allow a variety of multiple-choice options,
`variable setting options, or any suitable form of response
`
`
`
`
`
`
`
`
`input. For example, if a parent is acting as an authorization
`
`
`
`
`
`
`provider for an ATM withdraws made by a child, a message
`
`
`
`
`
`
`
`may be sent to a phone of the parent indicating that the child
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`is attempting to withdraw a particular amount (e.g., $50). The
`parent may be able to respond allowing a withdrawal of only
`
`
`
`
`
`
`
`a lower amount (e.g., $20). As an additional sub-step to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`receiving an authority agent response, the response is prefer—
`ably verified to be a legitimate response from the authority
`
`
`
`
`
`
`
`device as opposed to an entity imitating the device. Secure
`
`
`
`
`
`
`
`Socket Layer (SSL), a Hash-based Message Authentication
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Code (HMAC), message signing, or any suitable crypto—
`graphic protocol may be used to verify the response is from
`
`
`
`
`
`
`
`
`the authority device.
`
`
`
`[0015]
`Step 8150 and $152, which includes ifthe authority
`
`
`
`
`
`
`
`
`
`agent response confirms the transaction, communicating a
`
`
`
`
`
`
`confirmed transaction to the initiator, and if the authority
`
`
`
`
`
`
`
`
`
`
`
`
`
`agent response denies the transaction, communicating a
`denied transaction to the initiator, function to communicate
`
`
`
`
`
`
`the authentication and/or authorization to the initiator of the
`
`
`
`
`
`
`transaction. Any suitable response to a transaction is prefer-
`
`
`
`
`
`
`ably communicated back to the requesting entity (e.g., a third
`
`
`
`
`
`
`
`
`party website or anATM machine). The requesting entity can
`
`
`
`
`
`
`
`
`then preferably take appropriate action. If the transaction is
`
`
`
`
`
`
`
`confirmed or approved, the transaction proceeds. If the trans—
`
`
`
`
`
`
`
`action is denied or altered, the requesting entity preferably
`
`
`
`
`
`
`
`hafts or prevents the transaction. The requesting entity can
`
`
`
`
`
`
`
`
`preferably use the transaction response to modify a transac-
`
`
`
`
`
`
`
`tion state in any suitable manner. Based on the variety of
`
`
`
`
`
`
`
`
`
`
`responses from authentic users and/or authorized users. rules
`
`
`
`
`
`
`
`
`may determine when to confirm or deny a transaction. In a
`
`
`
`
`
`
`variation of the method, there may be a plurality of authority
`
`
`
`
`
`
`devices registered for authorization and]or authentication. A
`
`
`
`
`
`
`rule may be setup for which authority devices to mes sage, in
`
`
`
`
`
`
`
`
`What order, and the timing of the messaging. Additionally,
`
`
`
`
`
`
`
`
`rules may be set forreceived responses.A particular threshold
`
`
`
`
`
`
`
`for the number of responses from the plurality of authority
`
`
`
`
`
`
`
`
`devices may be set. For example, four authority devices may
`
`
`
`
`
`
`
`
`
`be messaged for authorization and at least three must confirm
`
`
`
`
`
`
`
`
`the transaction for it to be confirmed. In another example, a
`
`
`
`
`
`
`plurality of authority devices for authentication may be reg-
`
`
`
`
`
`
`
`istered, and the authority devices are messaged one after the
`
`
`
`
`
`
`
`
`
`other until at least one responds. The response from an author-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ity agent may alternatively be passed on to the requesting
`entity with no analysis.
`
`
`
`[0016] An alternative embodiment preferably implements
`
`
`
`
`
`
`the above methods in a computer-readable medium storing
`
`
`
`
`
`
`computer-readable instructions. The instructions are prefer-
`
`
`
`
`
`
`
`
`
`
`
`ably executed by computer-executable components prefer-
`ably integrated With an auth platform. The auth platform is
`
`
`
`
`
`
`
`
`preferably hosted on a distributed computing system or cloud
`
`
`
`
`
`
`based platform but may alternatively behosted in any suitable
`
`
`
`
`
`
`
`
`system. The computer—readable medium may be stored on
`
`
`
`
`
`
`any suitable computer readable media such as RAMS, ROMS,
`
`
`
`
`
`
`
`
`flash memory, EEPROMs, optical devices (CD or DVD), hard
`
`
`
`
`
`
`
`
`drives, floppy drives, or any suitable device. The computer-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`executable component
`is preferably a processor but the
`instructions may alternatively or additionally be executed by
`
`
`
`
`
`any suitable dedicated hardware device. The auth platform
`
`
`
`
`
`
`
`
`preferably includes an API for third party services and
`
`
`
`
`
`
`
`
`
`devices to use in initiating transactions and interpreting
`
`
`
`
`
`
`
`responses from the auth platform. The platfomi preferably
`
`
`
`
`
`
`
`
`
`Page 9 of 10
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`includes a communication channel such as a public or private
`
`
`
`
`
`network or SMS network to communicate with at least one
`
`
`
`
`
`
`authority device. The authority device is preferably a mobile
`
`
`
`
`
`
`phone but may be any suitable personal computing device.
`
`
`
`
`
`
`
`
`[0017] As a person skilled in the art will recognize from the
`
`
`
`
`
`
`
`
`
`previous detailed description and from the figures and claims,
`
`
`
`
`
`
`
`
`modifications and changes can be made to the preferred
`
`
`
`
`
`
`
`embodiments of the invention without departing from the
`
`
`
`
`
`
`scope of this invention defined in the following claims.
`
`
`
`
`
`
`
`We claim:
`
`
`1. A method of completing a transaction comprising the
`
`
`
`
`
`steps of:
`
`
`registering an authority device for an account on an auth
`
`
`
`
`
`
`platform;
`receiving transaction request from an initiator to the auth
`
`
`
`
`
`
`
`platform;
`messaging the authority device with the transaction request
`
`
`
`
`
`
`
`wherein the message is pushed as a notification for an
`
`
`
`
`
`
`application of the authority device;
`
`
`
`
`
`
`
`
`
`
`receiving an authority agent response from the authority
`device to the auth platform, and cryptographically
`
`
`
`
`
`
`
`authenticating the response from the authority device;
`
`
`
`
`
`
`
`if the authority agent response confirms the transaction,
`
`
`
`
`
`
`
`communicating a confirmed transaction to the initiator;
`
`
`
`
`and
`
`ifthe authority agent response demes the transaction, com-
`
`
`
`
`
`
`
`
`municating a denied transaction to the initiator.
`
`
`
`
`
`2. A method of completing a transaction comprising the
`
`
`
`
`
`
`
`steps of:
`registering an authority device for an account on an auth
`
`
`
`
`
`
`platform;
`receiving transaction request from an initiator to the auth
`
`
`
`
`
`
`
`platform;
`messaging the authority device with the transaction
`
`
`
`
`
`
`request;
`
`
`
`
`
`
`
`receiving an authority agent response from the authority
`device to the auth platform;
`
`
`
`
`if the authority agent response confirms the transaction,
`
`
`
`
`
`
`
`communicating a confirmed transaction to the initiator;
`
`
`
`
`and
`
`ifthe authority agent response denies the transaction, corn-
`
`
`
`
`
`
`
`
`municating a denied transaction to the initiator.
`
`
`
`
`
`3. The method of claim 2, wherein messaging the authority
`
`
`
`
`
`
`
`
`device includes pushing a notification to a mobile application.
`
`
`
`
`
`
`4. The method of claim 3, wherein pushing a notification is
`
`
`
`
`
`
`
`performed over a channel with real—time alerts on the author—
`
`
`
`
`
`
`
`ity device.
`
`
`5. The method of claim 4, wherein pushing a notification
`
`
`
`
`
`
`includes sending an SMS message to the authority